Public companies should anticipate robust enforcement of the Securities and Exchange Commission's (SEC) new cybersecurity rules, even as challenges in compliance persist, according to experts. The rules mandate public companies to disclose any "material cybersecurity incidents" to the SEC via Form 8-K within four days of determining it as a material breach. All covered entities, excluding smaller reporting businesses, are required to adhere to the new breach disclosure requirements.
Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, noted that the rules are relatively new and there might be some learning curves, but the SEC is expected to prioritize cybersecurity enforcement. In recent years, the SEC has emphasized cybersecurity as a top enforcement priority, signaling increased scrutiny.
The SEC reached a $3 million settlement with software firm Blackbaud in March, addressing misleading disclosures related to a 2020 ransomware attack. In October, the SEC sued software provider SolarWinds and its chief information security officer for allegedly defrauding investors through mischaracterizations of cybersecurity practices leading up to an attack.
Further, the SEC's new rules, coupled with recent enforcement actions, raise the stakes for senior executives, including CFOs. The rules require public companies to disclose material breaches and their impact on the registrant, including their financial condition and results of operations. However, the definition of a material incident lacks clarity, leaving companies to determine materiality and potentially defend their conclusions in the event of regulatory action or lawsuits.
The disclosure must be made without unreasonable delay following discovery, and if material, file an Item 1.05 Form 8-K generally within four business days. The rules also mandate companies to annually describe their board of directors' oversight of cybersecurity risks in Form 10-K reports.
Despite the compliance challenges and lack of clarity in certain areas, experts advise companies to be prepared for vigorous enforcement by the SEC, which has prioritized cybersecurity as a critical aspect of regulatory oversight. The new rules underscore the importance of cybersecurity risk management and transparency in reporting to protect against potential regulatory actions and legal scrutiny.
