Thursday, March 10, 2022

The SEC wants companies to disclose data incidents almost immediately


Sometimes the life of an in-house cybersecurity lawyer is stressful.  The SEC is not making it any easier. 

Yesterday, the US Securities and Exchange Commission proposed a new rule amendment that would require publicly-held companies to file an 8-K to (publicly) disclose a material data incident within four business days of determining it is material.

What would companies be required to disclose?

The proposal calls for the following information to be included in the Current Report on Form 8-K:

  1. When the incident was discovered and whether it is ongoing;
  2. A brief description of the nature and scope of the incident;
  3. Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  4. The effect of the incident on the registrant’s operations; and
  5. Whether the registrant has remediated or is currently remediating the incident.
  6. an Interactive Data File (XBRL).

That's a lot of detail to collect, confirm, and craft into a coherent report in just four days.

This would dramatically accelerate the reporting timeline for most US companies. State data breach notification laws often give companies 30 or 45 days after discovery of a breach to notify authorities and affected individuals. The SEC notes that "it took on average 44 days for companies to discover breaches, and then in addition, it took an average of 53 days and a median of 37 days for companies to disclose a breach after its discovery." In the wake of a serious breach, most companies would be focused on detecting the compromise, isolating the threat; ejecting the malicious actor or code; protecting their customers, employees, and property; and mitigating risk. Reporting is not usually the most immediate consideration. Unlike most state breach notification laws, however, the proposed rule makes no allowance for delay, even if law enforcement requests a delay in reporting.

What if a company doesn't know those things within four days?

In the days and weeks following an incident, the "facts" tend to evolve and become more clear. Companies rarely are able to describe with great accuracy the nature and effect of a serious, sophisticated cyberattack within four days. The proposed rule calls for updates to be included in the next quarterly report (on Form 10-Q) or annual report (on Form 10-K)...unless the update is so substantial that the original Form 8-K is inaccurate, in which case an amended Form 8-K must be filed.

What is a considered a "cybersecurity incident"?

The term is defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The term probably covers privacy violations as well as incidents that do not constitute a "breach" under most state data breach notification laws. Examples from the SEC are:
  • An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
  • An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
  • An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
  • An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
  • An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

If a series of incidents collectively become material, they too would be required to be disclosed.

Other risk and risk management disclosures are also proposed.

The proposal also calls for regular reporting about a company's policies and procedures to identify and manage cybersecurity risks, the board's oversight of cybersecurity risk, and executive management’s role in cybersecurity risk, policies and procedures.

You can read the entire proposal yourself here, and consider submitting a comment.


Press release:

Fact sheet: