[UPDATE September 2, 2023: Crunchbase places REA at "top of the list" for SEC Cybersecurity ]
I attended an energy industry meeting on August 1 where the newly adopted SEC cybersecurity rules were being discussed, especially the impact these new rules will have on Officers and Directors of public companies, i.e. Edison Electric Institute members. A concise article summarizing the new rule is available at the link below. The SEC rule is clear with regard to the need to follow best practices as justification for not providing a safe harbor provision (ref page 38) "In light of the revision to Instruction 1, we find that a safe harbor, as suggested by some commenters, is unnecessary; adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance".
The fact sheet provided by the US administration indicates that company cybersecurity processes must be described, including PROACTIVE processes and controls to detect and mitigate vulnerabilities and risks. I presume this also includes known software supply chain threats, risks and vulnerabilities, especially CISA Known Exploited Vulnerabilities (KEV):
"New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats." US Government Directive BOD 22-01 makes clear the importance of monitoring and addressing CISA Known Exploited Vulnerabilities (CISA KEV).
An article from Harvard Law School Forum on Corporate Governance provides a concise summary and legal view of the new rules:
the rules require periodic disclosures, under Reg S-K Item 106, about a company’s “processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risk.”
Periodic disclosure. "The new rules require companies to provide annually in their Forms 10-K disclosure about risk management, strategy and governance regarding cybersecurity risks."
The final rule (Reg S-K Item 106(b)(1)) requires a description of the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” This revised formulation substitutes “processes” for “policies and procedures,” to “avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors, and because the term ‘processes’ more fully compasses registrants’ cybersecurity practices than ‘policies and procedures,’ which suggest formal codification.” The rule requires a description of cybersecurity processes to the extent they relate to material cybersecurity risks; the SEC expects that companies will tailor those processes to threats as they perceive them
The new SEC Cybersecurity rules go into effect December 2023.
The question that needs to be answered is: "Are companies that aren't actively monitoring software assets for the presence of CISA Known Exploited Vulnerabilities in software (KEV's) putting their Officers and Directors at risk of a Caremark lawsuit or SEC action, in the event of a cyber-incident that must be reported to the SEC within 96 hours?"
Liability for directors and officers in a cyber Caremark derivative action will likely depend on whether those individuals put in place before the breach a reasonable process calibrated to the company’s data, risk profile, and regulatory environment.
The suggestions provided below represent an example of internal practices and disclosure processes, controls and procedures for proactive software supply chain risk management controls to detect and prevent harm from CISA KEV's in a company's software assets, and save tamper-proof evidence of these controls in operation, that should suffice to demonstrate good faith compliance, as defined in the SEC rule under 17 CFR 229.106
I sincerely doubt that any Officer or Director will avoid liability in a shareholder lawsuit if they are not proactively monitoring for cyber-risks in the software supply chain, given the advanced warning provided by the CISA Known Exploited Vulnerabilities (KEV) catalog. I can easily imagine a judge asking Directors and Officers this question during a shareholder lawsuit"CISA informed you of known software vulnerabilities being exploited. You knew the risks, so what action did you take to protect the company from those risks to fulfill your "duty of care" obligations and prevent those known CISA software exploited vulnerability risks from causing harm?"
The new rules place greater responsibility for disclosing cybersecurity practices/protections and reporting of cyber-incidents on Directors and Officers. This could be significant when you consider that a material cyber-incident needs to be reported within 96 hours and that starts the clock ticking to investigate if Officers and Directors have taken proper PROACTIVE precautions to detect cyber risks in software and prevent these risks from manifesting into a cyber-incident, based on their 17 CFR 229.106(b)(1) cybersecurity process disclosures (Form 10-K). Shareholders have a vested interest to protect their own investments by researching if Officers and Directors were fulfilling their "duty of care" obligations to detect cyber risks and prevent cyber-risks from becoming a cyber-incident. Those Officers and Directors that fail to preserve tamper-proof evidence of their proactive risk detection controls may be at risk of personal liability in any shareholder lawsuits, when a cyber-incident occurs that affects shareholder value.
Here are a few key take-aways from the article linked below (Read More):
- The best way to improve incident response (and meet a four-day reporting period) is to develop a comprehensive incident response policy and routinely test the policy via tabletop exercises and adapt the policy to evolving conditions.
- Disclosure requirements include describing board oversight and management’s role in assessing and managing material risks. [RJB: The disclosures required in 17 CFR 229.106(b) are the materials that the SEC and shareholders will scrutinize for evidence that Officers and Directors have proper controls in place to show that "duty of care" obligations for cybersecurity are being satisfied, along with tamper-proof evidence that they are being followed].
- Companies that fail to timely notify the SEC on breach events may face SEC regulatory enforcement scrutiny, such as investigations or potentially fines to the extent the failure to report may be deemed as misleading to investors.
- Companies should consider how to appropriately educate board members and investors on ongoing cybersecurity initiatives without compromising confidentiality or company trade secrets. [RJB Officers and Directors need to ensure that PROACTIVE cyber-risk detection controls are documented ref: C.1.((b)(4)) and that tamper-proof evidence of these proactive controls being applied is preserved in a secure evidence locker. This could prove very beneficial in any shareholder lawsuits attempting to hold Officers and Directors personally liable for any losses they suffer as a result of a cyber-incident] See "C. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks
1. Risk Management and Strategy; Whether the registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents ((b)(4)); (page 54)"
NOTE: There is legal precedence for holding an Officer accountable when a cyber-incident occurs and this article describing a Caremark lawsuit against Home Depot resulting from a cyber-incident which states:
While a Caremark claim presents a high burden for a plaintiff, this is still bad news for corporate boards. Detailed Caremark claims are costly to litigate. And state corporate law (such as that of Delaware, which applies to Home Depot) limits the extent that a company can insulate and indemnify its directors from monetary damages for breaches of the duties of loyalty and good faith.
Liability for directors and officers in a cyber Caremark derivative action will likely depend on whether those individuals put in place before the breach a reasonable process calibrated to the company’s data, risk profile, and regulatory environment.