The new SEC Cybersecurity Regulations (17 CFR 229.106) that go into effect December 2023 have raised the bar for Directors and Officers of public companies to take actions needed to protect themselves from shareholder lawsuits that could result from a material cyber-incident (now needs to be reported to the SEC within four business days ) that results in shareholder losses. History offers us a sobering look into one such shareholder lawsuit against Home Depot, that is documented in the article linked below (click Read More). "It blames the 12 individual defendants — 11 current and former directors and officers at Home Depot, as well as the company’s general counsel — for failure to oversee the company’s cybersecurity adequately."
The article also contains some prudent advice for Officers and Directors to protect themselves from personal liability, in the event of such a lawsuit. This advice is especially important now that the SEC Cybersecurity Regulations are codified and go into effect December 2023, and CISA is providing companies with advanced warning of Known Exploited Vulnerabilities (KEV) material cyber-risks in software products that may be installed within a Company software assets, resulting in "material" cyber-risks to the Company and potential liability to Officers and Directors. The Log4j KEV identified by CISA, CVE-2021-44228 is an example of a material cyber-risk that Companies need to detect PROACTIVELY (Left of Bang), as soon as a "KEV warning" is issued from CISA. "Software vulnerabilities are not some mundane part of the tech ecosystem. Hackers often rely on these flaws to compromise their targets."
Here are a few useful recommendations from the Home Depot Caremark Lawsuit experience contained in the article (Read More):
Liability for directors and officers in a cyber Caremark derivative action will likely depend on whether those individuals put in place before the breach a reasonable process calibrated to the company’s data, risk profile, and regulatory environment. And the expense of the defense will be directly proportional to how well this preparation was documented. In this regard, the following proactive best practices should be considered:
-
Conduct a risk assessment that evaluates the nature of the company’s data, its vulnerability to hackers, and the ramifications if it were compromised.
-
Draft policies and procedures, as well as an incident response plan, that not only seek to prevent a data breach but also outline the steps to take after such an event occurs.
-
Consider whether the company’s existing insurance policies provide the requisite coverage for data breaches, as well as defense of the directors and officers in the event of litigation post-breach raising a Caremark or other derivative claim.
-
Evaluate the “tech IQ” of the company’s directors and officers, and then task (or hire) a director to take the lead on cybersecurity oversight, serving as a liaison between the directors and management’s head of IT security. Provide regular updates to the board regarding cybersecurity and use third-party consultants as appropriate.
-
Work with counsel to review and update the company’s public disclosures related to cybersecurity. This is a critical issue, given the SEC’s increasing focus on cybersecurity disclosures. And, plaintiffs — including the Home Depot derivative plaintiff — are likely to use the company’s cybersecurity disclosures to their advantage in litigation (e.g., to argue that the company overstated its defenses).
Boards and company executives can no longer profess ignorance about their company’s cybersecurity.
An article from the American Bar Association also affirms the need for Officers and Directors to implement a "good faith" process to detect cyber-risks and preserve evidence as proof of implementation to present in any lawsuits or SEC actions. CISA KEV's are "prima facie", red flags warning of cyber-risks that are present and being used by hackers to carry out successful cyber-attacks "Fiduciary liability is not premised on the occurrence of the underlying event but rather the failure of officers and directors to make a good faith effort to attempt to establish systems of controls or the failure to report clear red flags when they emerge."
Officers and Directors of public companies are directly responsible for cybersecurity processes under the new SEC regulations( 17 CFR 229.106 List of Subjects in 17 CFR Parts 229, 232, 239, 240, and 249 )that take effect December 2023, as indicated in this Harvard Law School article describing the new regulatory requirements. A material cyber-incident could open the door for shareholder scrutiny of Company cybersecurity processes and protections that were in place when the incident occurred, after reporting a material cyber-incient within the 96 hour deadline, possibly leading to a Caremark lawsuit, as has occurred in the past with Home Depot, see article below for full details and recommendations (Read More).
It would be prudent for Companies to follow the advice offered in the Home Depot lawsuit article and take action before the December 2023 effective date to ensure that "convincing" and "reasonable", "good faith" cybersecurity processes are in place and documented and tamper-proof evidence of these controls in operation is preserved, in the event this process documentation and tamper-proof evidence is needed by the defense to protect Officers and Directors from personal liability in a shareholder lawsuit or SEC action. The presentation of cybersecurity process documentation and tamper-proof evidence of these controls in operation can be very beneficial to the defense.
It's true that Officers and Directors cannot claim ignorance of material cyber-risks, especially within the Software Supply Chain while the CISA Known Exploited Vulnerabilities (CISA KEV) catalog is publicly available, i.e. Log4J CVE-2021-44228, notifying companies of real material cyber-risks coming from known exploited software product vulnerabilities in the software supply chain provided by CISA.
People have been asking me, "How long does it take to setup a program/process to monitor and detect software supply chain cyber-risks and CISA KEV's PROACTIVELY to satisfy SEC cybersecurity cyber-risk detection and disclosure requirements. A minimal program can be setup and operating within one week and a more fully functional program, with trained staff and production grade processes can take up to 3 months. The duration depends largely on customer resource availability, commitment and the technical and organizational proficiency of the customers personnel responsible for implementing the program and Executive support and commitment to succeed. The amount of time required can also be affected by the number of software assets in use within an organization.
The question that every Officer and Director needs to be asking themselves, before the SEC cybersecurity regulation goes into effect in December 2023 is: "Am I confident the cybersecurity processes and retained evidence we have in place will protect me from personal financial losses in the event of a material cyber-incident that results in shareholder losses and a shareholder lawsuit after the SEC Regulations take effect?" The answer to this question may decide how you sleep at night. CFO's, CEO's and other Officers may want to check if "over confidence" may be introducing personal risk [KROLL] "Our CFO cyber security survey has shown that Chief Financial Officers are highly confident in their companies’ abilities to ward off cyber security incidents, despite being somewhat unaware of the cyber vulnerabilities their business faces. Almost 87% of the surveyed executives expressed this confidence, yet 61% of them had suffered at least three significant cyber incidents in the previous 18 months.
Watch out for those cyber-icebergs, "red flags" identified as CISA KEV's in your path.
This may not be your best strategy in December 2023:
[UPDATE October 2, 2023: Progress Software has been accused of negligence in lawsuits with regard to the MOVEit cyber-incident that affected hundreds of companies and 40 million people. We should expect to see more lawsuits when the SEC Cybersecurity Regulations go live, requiring companies to disclose their cybersecurity processes to the public. An SEC investigation is planned. ]
[UPDATE September 2, 2023: Crunchbase places REA at "top of the list" for SEC Cybersecurity ]
[UPDATE September 15, 2023: I'll be presenting a talk on technical implementation solutions for SEC Cybersecurity Regulations on September 30 at BSides CT, hoping to see you there. If you're wondering what/how to implement technical solutions and process documentation to comply with the SEC Cybersecurity Regulations before December 2023 and want to know how long it will take to implement, then this talk is for you. ]