[UPDATE 9/15/2023 the cyber-breaches at MGM and Caesars are prime examples of ransomware attacks that will need to be reported within the four-day reporting requirement in December 2023 when the new SEC Cybersecurity Regulations take effect]
The SEC Cybersecurity Regulations (17 CFR 229.106) effective in December 2023 have drawn considerable criticism for the cyber-incident reporting requirement of four business days and the determination of “materiality” of a cyber-breach. This article aims to describe the level of difficulty with determining the “initial materiality” of a material cyber-incident and the ability for victims to report on an actual, material, cyber-incident within the four-business days reporting requirement, as seen in the most common cyber attacks, Ransomware and Data Theft.
The final rule addressed concerns over conflicts with other federal reporting requirements, i.e. CIRCIA (see page 43 of final rule): "While CISA has yet to propose regulations to implement CIRCIA, given the statutory authority, text, and legislative history of CIRCIA, it appears unlikely the regulations would affect the balance of material information available to investors about public companies, because the reporting regime CIRCIA establishes is confidential". In other words, CIRCIA and SEC reporting requirements are intended to communicate different information for different purposes to different audiences - there is no conflict, any concerns over conflict with cyber-incident reporting are simply FUD.
Even some US Government entities have been critical of the SEC's action to stop cyber-crime through information sharing of cyber-incidents and holding Directors and Officers accountable to take action to prevent cyber-incidents. Cybersecurity is a team sport and the SEC took the lead to address cyber-crime when nobody else would. SEC is to be commended for its integrity and bravery. Other agencies should also get behind the SEC and support this courageous action that actually aims to achieve the goals set out in Executive Order 14028. I encourage US Government Agencies to stand with the SEC, as one "Cybersecurity Team", by publicly announcing support for the SEC's courageous action to stop cyber-crime through information sharing, reporting cyber-incidents within four business days, and holding Directors and Officers responsible for implementing prudent "good faith" cybersecurity processes and protections to stop cyber-crime and disclosing this process information in a Form 10-K filing.
First, let’s state the obvious; “Not all cyber breaches/incidents are the same, some are easy to detect, some are not.” A significant majority of cyber-incidents are carried out by hackers with a financial interest in mind. The most common cyber-incidents involve some sort or ransom payment. Ransomware and Data Theft are the two most common cyber attacks in which the victim becomes aware of the breach/incident within hours of the event and they know the “initial materiality” of the incident, as expressed in the ransom payment demand note.
With regard to Ransomware and Data Theft, the two most common cyber-incidents to occur, there is no difficulty in meeting the SEC Cybersecurity regulations requirement for reporting a “material cyber-incident” within four business days, including the “initial material impact” as expressed in the ransom payment demand note. Some forward-looking projections of recovery cost may be more difficult to ascertain with accuracy, but a reasonable estimate of recovery costs may be possible to produce, based on the value of breached data and the functions performed by impacted systems.
It’s true that some cyber-attacks can be more difficult to detect and determining the material impact of an incident can be challenging, the Solarwinds breach is one such case. These types of breaches are rare and have questionable material impact. What was the material impact of the Solarwinds breach on software consumers? There were no ransom notes or demands for payment and none of the data seemed to be altered, enabling operations to continue as usual with system administrators and security personnel unaware that a breach had occurred.
With regard to knowing which risks exist and are exploitable, here again there is advanced warning information available, in many cases, provided by CISA in Known Exploited Vulnerabilities and other reports, such as ICS CERT advisories are "red flags" warning of genuine cyber-risks that must be avoided using a "good faith" process when the new SEC Cybersecurity rules take effect. The MOVEit exploit ( a CISA KEV) was reported on May 31, 2023 and victims continue to accumulate because entities are not properly managing and detecting cyber-risks within their ecosystems, using the tools that are available from CISA and security tool providers.
Many people are grappling to figure out how these new SEC cybersecurity regulations will impact them and this also includes insurance companies that offer Directors and Officers liability and cyber-insurance policies.Â
It is not difficult to see how these new rules increase public company exposure. Registrants that disclose cybersecurity incidents face increased exposure to both consumer privacy violation class action lawsuits and shareholder derivative or other securities claims alleging D&Os breached their cybersecurity governance responsibilities or made misrepresentations in connection with the purchase or sale of securities. Plaintiffs’ lawyers will now be equipped with public information that has the potential to provide the basis for such claims, likely leading to an increase in such lawsuits. [RJB refer to 17 CFR 229.106 (b)(1) Risk management and strategy disclosure requirements]
D&O insurance implications
As a result of the cybersecurity risk management and governance disclosure requirements, registrants are almost certain to face more lawsuits alleging breach of duty or oversight claims. Now that plaintiffs’ lawyers will have access to public companies’ cybersecurity risk management and governance disclosures, there is likely to be an increase in claims alleging registrants failed to prevent “material” cybersecurity incidents because their cybersecurity risk management and governance practices were inadequate."
In summary, the most common cyber breaches, Ransomware and Data Theft attacks, are easily detected and an “initial material impact” can be reported in a Form 8-K using the ransom payment amount demanded by the intruders, well within the SEC’s four business day reporting requirement, enabling public companies to comply with the SEC cybersecurity rules before they become effective in December 2023.
Officers and Directors need to ask themselves one important question "Am I confident the cybersecurity processes and retained evidence we have in place will protect me from personal financial losses in the event of a material cyber-incident that results in shareholder losses and a shareholder lawsuit after the SEC Regulations take effect?"
This is not the time to take risks; now is the time for Officers and Directors to prepare and protect themselves, before the SEC cybersecurity regulations go into effect in December 2023.