SEC Cybersecurity Incident Disclosure Rules

The U.S. Securities and Exchange Commission’s cybersecurity incident disclosure rules, implications for compliance, and best practices for responding to a cyberattack.

Cybersecurity incidents are becoming more frequent and severe, posing significant risks to businesses and investors. The U.S. Securities and Exchange Commission (SEC) has issued guidance and enforcement actions to address the disclosure obligations of public companies and regulated entities in the event of a cybersecurity incident. This article provides an overview of the SEC’s cybersecurity incident disclosure rules, their implications for compliance, and some best practices for responding to a cyberattack.

The SEC's Cybersecurity Incident Disclosure Rules

The SEC’s cybersecurity incident disclosure rules are based on the principle that material information that affects the value of a company’s securities or the operations of a regulated entity must be disclosed to investors and the public in a timely and accurate manner. The SEC considers cybersecurity incidents to be material events that may trigger disclosure obligations under the following rules :

Regulation S-K, which requires public companies to disclose material information in their periodic reports, registration statements, and proxy statements.
Regulation FD, which prohibits public companies from selectively disclosing material nonpublic information to certain persons without making public disclosure of the same information.
Section 13(r) of the Securities Exchange Act of 1934, which requires public companies to disclose in their annual and quarterly reports any transactions or dealings with certain sanctioned persons or entities that are involved in cybersecurity incidents.
Rule 30(a) of Regulation S-P, which requires registered broker-dealers, investment advisers, and other financial institutions to adopt written policies and procedures to protect customer records and information from unauthorized access, use, or disclosure.
Rule 206(4)-7 of the Investment Advisers Act of 1940, which requires registered investment advisers to adopt and implement written policies and procedures to prevent violations of the federal securities laws, including those related to cybersecurity incidents.
Rule 38a-1 of the Investment Company Act of 1940, which requires registered investment companies to adopt and implement written policies and procedures to prevent violations of the federal securities laws, including those related to cybersecurity incidents.

Implications for Compliance

The SEC’s cybersecurity incident disclosure rules impose significant compliance obligations and challenges for public companies and regulated entities. Some of the key implications are :

Public companies and regulated entities must assess the materiality of a cybersecurity incident and determine whether, when, and how to disclose it to investors and the public.
Public companies and regulated entities must maintain adequate disclosure controls and procedures to ensure that cybersecurity incidents are promptly identified, reported, and disclosed.
Public companies and regulated entities must cooperate with the SEC and other regulators in the event of a cybersecurity incident investigation or enforcement action.
Public companies and regulated entities must review and update their cybersecurity policies and procedures to address the evolving cyber threats and regulatory expectations.

Best Practices for Responding to a Cyberattack

While the SEC’s cybersecurity incident disclosure rules provide a general framework for compliance, they do not prescribe a one-size-fits-all approach for responding to a cyberattack. Each cybersecurity incident is unique and requires a tailored response based on the facts and circumstances. However, some of the best practices for responding to a cyberattack are :

Establish a cross-functional incident response team that includes legal, compliance, IT, PR, and other relevant stakeholders.
Engage external experts, such as forensic consultants, cybersecurity lawyers, and crisis communicators, as needed.
Contain and mitigate the cyberattack as soon as possible to limit the damage and restore normal operations.
Conduct a thorough investigation to determine the nature, scope, and impact of the cyberattack, as well as the potential legal and regulatory implications.
Communicate with investors, customers, employees, regulators, and other stakeholders in a timely, transparent, and consistent manner, while avoiding premature or inaccurate disclosures.
Document the incident response process and the lessons learned, and implement remedial actions and enhancements to prevent or minimize future cyberattacks.

Conclusion

The SEC’s cybersecurity incident disclosure rules are designed to protect investors and the public from the adverse effects of cyberattacks. Public companies and regulated entities must comply with these rules and be prepared to respond to a cyberattack in an effective and responsible manner. By following the best practices outlined in this article, public companies and regulated entities can enhance their cybersecurity posture and reduce their legal and regulatory risks.

References

SEC, "Commission Statement and Guidance on Public Company Cybersecurity Disclosures", February 21, 2018, https://www.sec.gov/rules/interp/2018/33-10459.pdf
SEC, "Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements", October 16, 2018, https://www.sec.gov/litigation/investreport/34-84429.pdf
SEC, "Cybersecurity Enforcement Actions", https://www.sec.gov/spotlight/cybersecurity-enforcement-actions

Post Tags :