Four business days: That’s the time public companies would have to report material cybersecurity incidents under the Securities and Exchange Commission’s newly proposed breach regulations.
The SEC’s proposed rule change would increase reporting obligations for breached organizations, dramatically raise the stakes for public companies, and put added pressure on legal teams to move effectively and with nearly unprecedented urgency once a breach has been discovered.
The Existing Cybersecurity Incidence Response Regime
In 2011, the SEC’s Division of Corporation Finance issued guidance regarding registrants’ existing disclosure obligations related to cybersecurity risks and incidents. Seven years later, the SEC issued additional direction to reinforce and expand upon the 2011 guidance, addressing the importance of cybersecurity policies and procedures.
Although disclosures of material cybersecurity incidents, risk management, and governance have improved in the last decade, disclosure practices have remained inconsistent.
The SEC’s new data breach disclosure rules seek to change that, with significantly tighter deadlines and increased consequences for noncompliance.
The SEC’s New Data Breach Disclosure Rules
The SEC’s proposed amendments to its rules would require public companies to:
Report material cybersecurity incidents within four business days after the determination that an incident has occurred
Provide regular updates about cybersecurity incidents reported previously
Describe policies and procedures to identify and manage cybersecurity risks
Disclose cybersecurity governance practices, and
Report on the board of directors’ cybersecurity expertise.
New Reporting Requirement Would Add Even More Urgency to Cyber Incident Response
The discovery of a data breach or cybersecurity incident already triggers a swift response from most legal teams. Unlike litigation or investigations that can play out over a period of months or years, data breach response procedures operate at an extremely fast pace, requiring quick analysis and review, while managing significant risks to the business. Under the SEC’s new rule, that process would become even more urgent, with company’s having just days to understand, address, and disclose an incident.
The proposed rules seek more consistent disclosure of cybersecurity risk management, strategy, and governance among public companies to improve policies and procedures. Still, the amendment could create substantial litigation and enforcement risks for these companies.
Significant aspects of the proposed regulation include:
The triggering event for disclosure is not the incident itself but rather within four days after the company “determines that a cybersecurity incident it has experienced is material.” This requirement could require disclosure to be made before breach notices are provided to state attorneys general, the impacted businesses, and affected individuals.
Public companies would be expected to be “diligent in making a materiality determination” by “thoroughly and objectively evaluating the total mix of information available.” Although the SEC proposes that cybersecurity incident reporting would be eligible for a limited safe harbor under Rule 13a-15(a) of the Exchange Act for
, this would likely not exempt companies from anti-fraud liability under federal securities laws.
Although the SEC maintains that the proposed rules do not apply to technical information, they would require disclosure of important details surrounding cybersecurity incidents and risk management policies and procedures.
Leveraging Technology When Responding to a Breach
If adopted, the rules would require public companies to spend substantial time and resources implementing protocols to assess current and previous cyber incidents, including those not considered material, to determine potential disclosure obligations.
To meet these challenges, legal teams will need to be equipped with the proper tools and procedures to move quickly once a breach is detected.
First, when a breach is detected, organizations need to be able to quickly identify what data was impacted and determine the size and scope of the incident — finding out whether sensitive data like personally identifiable information, financial information, health information, etc., is key.
Leveraging the right tools is critical here. Platforms that have sophisticated searching and analytical capabilities and can handle various file types are invaluable. For example, in addition to standard business documents, audio and video (A/V) files containing sensitive information may have been accessed. A platform that includes automatic transcription and A/V search can surface data that may otherwise evade notice. Similarly, interactive databases and spreadsheets with dynamic information will need to be queried, with a tool that can reveal their components.
Rolling reviews, in which data is examined in continuous batches as it’s collected and processed, can allow teams to get an early start on their review. Analytics tools can help identify the most urgent documents, to allow teams to focus their resources where they matter the most.
In the end, the goal is to maintain compliance with a wide network of federal and state requirements, while acting as quickly and defensibly as possible.
Final Thoughts on the SEC’s New Data Breach Rules
These new proposed rule changes put even more pressure on organizations to ethically and adequately handle and manage data security breaches. Legal teams who can move quickly and effectively to develop a strong understanding of their data have an advantage throughout this process. Whether that means investigating a security incident or assessing and identifying the types of data impacted, such as PII, PHI, or business-critical information. Organizations may not be able to anticipate every single potential data security risk, but it’s imperative that the necessary steps are in place to ensure data breaches are handled under the letter of the law.
Interested in learning about cybersecurity and how it relates to ediscovery, download a free copy of our eBook, “Security in the World of Ediscovery for Corporations.”