United States: New Disclosure Rules On The Horizon And The White House Warns Of Potentially Imminent Russian Cyberattacks

Government regulators and legislatures are responding to widespread cybersecurity threats by mandating more intrusive and accelerated disclosure requirement, while demanding that private sector companies implement more stringent cybersecurity measures through revised guidance. Some of these developments will take time to be fully implement, as they require adoption of regulations—companies are well-advised to begin preparing now given the many technical and process changes that will need to be adopted. For example, the SEC has proposed additional cybersecurity rules with implications for many public companies.

SEC Proposed Cybersecurity Rules for Public Companies

On March 9, 2022, the SEC proposed new disclosure rules for public companies that are subject to the Securities and Exchange Act. ¹ The new rule would require covered companies to report any material cybersecurity incident ² (to be construed broadly) within four (4) business days of determining they have experienced an incident. A few of the required disclosures include (1) the timing of the incident and whether it is ongoing; (2) a description of the nature and scope of the incident; (3) whether data was stolen, altered, accessed, or used in an unauthorized manner; and (4) the impact of the incident on the business and how the company is mitigating the impact. The SEC underscores that notice is not required until the incident has been deemed material (e.g., substantial likelihood that a reasonable shareholder would consider it important for investment decisions). Furthermore, various SEC forms, such as Forms 10-Q and 10-K, will be amended to require disclosure of certain cybersecurity incidents in their regular filings. 

The rules include additional requirements beyond incident disclosure to also require companies to provide further general disclosures related to an entity's cybersecurity practices. Accordingly, an entity must disclose (1) its policies and procedures for identifying and managing cybersecurity risks; (2) its cybersecurity governance structure; and (3) management's role and expertise, including the board of directors' expertise, in assessing and managing cybersecurity risks and implementing appropriate policies and procedures. We expect considerable debate in the rulemaking process on questions about how much information should be disclosed, given that it may identify vulnerabilities in a company's system. 

White House Sounds Alarms for Potential Russian Cyberattacks

As Russia's attacks in Ukraine move into their second month, the White House has increased calls for the private sector to harden itself against potential Russian cyberattacks. The Biden administration issued a fact sheet on how companies—particularly those in the 16 critical infrastructure sectors ³—should accelerate hardening their security, recommending that all businesses should take the following steps:

• Complete an organization drill of emergency plans to test preparedness for an attack;
• Implement and require multi-factor authentication;
• Deploy security tools that continuously monitor for threats;
• Review all systems for necessary patches and updates;
• Update any passwords that have been potentially compromised;
• Back up data and ensure that offline backups are available and secured;
• Encrypt any insecure data;
• Educate and train employees on common tactics that may be used by attackers; and
• Encourage rapid reporting of any and all technology crashes or disruptions.

Additionally, technology and software companies have been encouraged to ramp up built-in product security, limit software development to secure and access-limited systems, maintain a "bill of materials" for components used in development, and implement the security practices mandated by Executive Order 14028: Improving the Nation's Cybersecurity.

Footnotes

1 These are separate from the SEC's Investment Industry rules proposed in February. For additional information on that proposal, check out our previous Snapshot.

2 Defined to include any unauthorized event on or through a company's information systems that jeopardizes the confidentiality, integrity, or availability of the information system or the information therein.

3 The critical infrastructure sectors are designated in Presidential Policy Directive 21.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.