SEC Adopts New Cybersecurity Rules for Public Companies

On July 26, 2023, the SEC adopted final rules regarding mandated disclosures of cybersecurity incidents for public companies (registrants) that are subject to the reporting requirements of the Securities Exchange Act of 1934. The rules are effective as of September 5, 2023, and require public disclosure of a cybersecurity incident. Consequently, companies will need to update their corporate governance with respect to incident response plans and the board of directors’ oversight of cybersecurity risks. Companies also will need to review their D&O policies and any other relevant insurance policies.

What do the SEC rules require?

• Registrants must describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand. Any third-party service providers that have been incorporated into a company’s risk management processes must also be disclosed.
• Registrants must describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing risks from cybersecurity threats. Registrants must identify all board committees overseeing cybersecurity and how those committees are informed of cybersecurity risks.
• If a registrant suffers a cybersecurity incident, it must disclose the event in a public SEC filing within four business days of determining that a cybersecurity incident is “material” (not the date it is discovered) [This is consistent with the timeframe provided in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)].
• “Materiality” must be determined without unreasonable delay following the discovery of a cybersecurity incident.
• The registrant must disclose the nature, scope, timing and the material impact (or the reasonably likely impact), including its financial condition and impact on operations.
• Registrants must provide updates about reported incidents in subsequent periodic reports.

The focus of the disclosure rule is “materiality”—a term not defined in the rule. In issuing its guidance however, the SEC stated that the “materiality” standard would be consistent with the standard established through the

securities laws and interpretive case law, i.e., “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information available.’ “Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors.” [Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure p.14 (citations omitted)].

Adoption of these rules was not without controversy and criticism. For example:

• Implementation of compliant governance will take time, money, and resources, especially for smaller companies.
• Companies may be worried about making a public disclosure statement while in the midst of investigating a cyberattack.
• The nature of a cybersecurity incident may quickly change, causing previously imparted information to be incorrect or invalid.
• Disclosure of Incident Response Plans and other governance information will provide bad actors with information about the company, making it more susceptible to a cybersecurity incident.
• The company will need to consider the needs and concerns of other stakeholders such as employees, vendors, clients or customers, business associates, etc. The timeline for disclosing the incident and its scope to key stakeholders may also be compressed (for example, a company may not want to make a public disclosure to investors without first making its own employees aware of the incident).

When will the rules take effect?

For the 10-K and Form 20-F disclosures, disclosures will be due with annual reports for fiscal years ending on or after December 15, 2023. For Form

8-K and Form 6-K disclosures, the disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register, or December 18, 2023. Smaller companies have an additional 180 days to comply.

D&O insurance implications:

Both Insurers and Insureds will be affected by the new rules. Insurers will need to conduct a more comprehensive review of a company’s corporate governance related to these issues and price accordingly. For companies that are minimally compliant or non-compliant, there may be limited markets willing to underwrite to them.

From a liability perspective, it is likely that companies will face a greater likelihood of derivative and securities cases related to disclosure failures on the new rules.

Companies should expect continued increases in Book & Record Demands over governance issues. Lawsuits over “materiality” will increase as will securities suits involving breach of fiduciary duty claims and securities violations involving false and misleading statements by commission or omission. Boards and management will be exposed to duty of oversight suits and, possibly, increased third-party risk.

It is also likely that new rules will increase investigation oversight by the SEC. While individual targets of investigations have broad coverage under most D&O policies, there is great debate and wide variance in the policies with respect to coverage for the Entity as it relates to formal investigations. Companies should decide how they want their D&O policy to respond to this balance sheet risk and to what extent. Policies vary significantly, but options for coverage include:

1. No coverage for investigations of the Entity at all.
2. Coverage for the Entity only when an individual is named as a target of the investigation.
3. Coverage for the Entity if there is a related securities claim (some will look back to when the investigation started; others only cover defense once the related securities claim starts).
4. Coverage for Entity without a requirement for co- defendant or related securities claims (sub-limited in some cases at the desire of the company).

Understanding your policy and the coverage available to you could materially impact the balance sheet protection you have when facing these formal investigations.