Preparing for SEC’s New Cybersecurity Rules
November 02, 2023
By Tony Caldwell, Diamond J. Zambrano, and Angela S. Kim
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted final rules relating to enhanced cybersecurity disclosures, which became effective on September 5, 2023 (the “Final Rules”)1. Beginning in December 2023, the Final Rules will require public companies to promptly disclose material cybersecurity incidents and information regarding their cybersecurity risk management, strategy, and governance2.This alert focuses on practical preparation tools for companies facing compliance with the requirements of the Final Rules.
Preparation for the Final Rules
In light of the changes brought by the Final Rules, public companies should consider the following actions:
- Review Existing Vendor Contracts. Companies should review protections in existing vendor contracts that address cybersecurity incidents and determine whether any contractual revisions or changes are needed to accommodate the Final Rules. Such revisions may include adding express provisions to address claims or liabilities arising from the required disclosures under new Item 1.05 of Form 8-K, which requires disclosure within four business days if a registrant experiences a “cybersecurity incident” that is determined to be material.
- Vendor Due Diligence. For prospective vendors, companies should perform a thorough cybersecurity due diligence investigation now more than ever because required disclosures of cybersecurity incidents include unauthorized occurrences and “related unauthorized occurrences” on the company’s information systems that jeopardize the confidentiality, integrity, and/or availability of the company’s information systems or any information residing therein. Such information systems include those owned or used by the company. Hence, required disclosures extend to systems owned by third-party vendors. Companies should therefore understand each vendor’s cybersecurity framework, including risk management, strategy, and governance disclosure processes. Each vendor’s reporting process and incident response framework should be closely assessed. Furthermore, companies should determine each vendor’s cybersecurity readiness by looking for risk assessment programs and strong notification procedures.
- Implement Contractual Commitments to Address Notification. Following a strong due diligence investigation, companies should ensure that contractual commitments and written policies are in place with vendors for prompt notification of cybersecurity incidents. For example, an effective information security addendum requires a vendor to maintain formal and documented cybersecurity policies and procedures, including prompt notification and supply of detailed, necessary information of cybersecurity. Such procedures should allow companies to efficiently evaluate and disclose cybersecurity incidents. Additionally, all vendor agreements should include contractual protections to allow companies to oversee and assess risk using their own internal processes.
- Team Preparedness for Cyber Incidents. Historically, companies have largely tracked cyber incidents through their information security teams. Compliance with each of the Final Rules, however, will require companies to adopt coherent and consistent procedures that their board and management can comfortably follow. The Final Rules stress the importance of governance disclosures in enhancing cybersecurity risk management by requiring companies to describe their board of directors’ oversight of cybersecurity risks, as well as management’s role, under new Item 106(c) of Regulation S-K. Therefore, companies should have coherent and consistent policies and procedures in place for their board and management to effectively oversee, detect, and monitor such risks. Companies should strive to provide information that is easily accessible and sufficiently straightforward for the board to efficiently and effectively assess cyber risks and occurrences. Under new Item 106(b) of Regulation S-K, the SEC requires companies to disclose risk assessment processes that are sufficiently detailed but clear for a reasonable investor to understand. Overly technical and complicated language could deter the company’s board and management from properly tracking and reporting cyber incidents, resulting in violations and possibly even SEC enforcement actions. Additionally, companies should emphasize consistency when addressing cyber incidents, so the board and management are receiving and understanding all necessary information from different teams (including appropriately assigning responsibilities). For instance, the board and management should decide on a step-by-step process for tracking the factors considered for determining a “material” cybersecurity incident, disclosed on Form 8-K (or Form 6-K), and use and enforce that process consistently.
To test the effectiveness of their cybersecurity framework, companies should consider management-led tabletop or simulation exercises. During such exercises, teams should enact current procedures in place to address cybersecurity incidents and internal escalation of occurrences. Such activities should allow the board and management to evaluate their risk management plans and procedures and increase efficiency in the decision-making process by mapping out clear roles and responsibilities. Team exercises should help the board and management make the necessary changes to their current disclosure procedures to conform to the new disclosure requirements under the Final Rules.
Finally, companies should seek assistance from their chief information security officer and/or chief information officer and ensure such officers relay important information regarding cybersecurity measures to the rest of the board and management. Companies may also consider assembling internal teams and assigning different responsibilities to each team or seeking the assistance of external advisors. Inviting third-party consultants should also prove helpful for strengthening cybersecurity frameworks.
- Consult Cyber Insurance Brokers. Companies should have annual briefings with their board on cyber insurance and allow brokers to discuss cybersecurity risks and liabilities and their financial impact on the directors and officers of the company. Cyber insurance brokers can help companies and businesses consider different cyber insurance options and find the right insurance coverage depending on the level of security required. Companies should acquire adequate coverage, taking into consideration the rigorous Final Rules.
How We Can Help
Cybersecurity is a technical and complex area where outside expertise should be effectively utilized. In particular, the complexity of the Final Rules may necessitate public companies to seek legal advice regarding existing cybersecurity practices to conform to the new standards mandated by the Final Rules.
1. U.S. Securities and Exchange Commission, Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (July 26, 2023). [BACK]
2. For more information, see our prior article “SEC’s Final Rule on Cybersecurity, Risk Management, Strategy, Governance, and Incident Disclosure.” [BACK]
©2023 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.
The material in this newsletter may not be reproduced, distributed, transmitted, cached or otherwise used, except with the written permission of Snell & Wilmer.