ARTICLE
10 January 2025

2024 SEC Cybersecurity Rule Updates

B
BakerHostetler

Contributor

Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Verify that there is an internal protocol and process for (1) detecting cybersecurity incidents, (2) classifying incidents by potential impact...
United States Technology

Key Takeaways:

  • Impact Assessment Process – Verify that there is an internal protocol and process for (1) detecting cybersecurity incidents, (2) classifying incidents by potential impact (e.g., low, medium, high, critical), (3) escalating incidents based on severity classification to a committee that evaluates disclosure obligations (e.g., escalate all high and critical incidents), (4) assessing impact based on applicable qualitative and quantitative factors, (5) determining and documenting the decision regarding the impact assessment, and (6) if applicable, filing a Form 8-K under Item 1.05 or 8.01. Doing an executive tabletop exercise is an effective way to test and refine this process and protocol. Having members of the audit committee or board observe the exercise or briefing them on the exercise is a good way to enable effective oversight.
  • Bringdown Process – Ensure that there is a process to review statements related to cybersecurity before quarterly and annual filings for accuracy and completeness, including based on any security incidents or assessments that occurred since the prior filing and to avoid hypothetical statements regarding actual risks that have occurred.
  • Security Statements – Review public-facing security statements for accuracy, completeness and consistency.

The first year of a new significant regulatory obligation is often more notable for the absence of regulatory enforcement actions as regulators often observe compliance efforts and challenges, offer guidance, and look for outliers. Heading into 2024, there was concern about the ability to comply with the Securities and Exchange Commission (SEC) cybersecurity rules. Most of the concern focused on the new Form 8-K disclosure obligation for material cybersecurity incidents. Others commented that the new obligation to disclose a company's cybersecurity risk management strategy would lead to increased regulatory scrutiny and litigation when the company disclosed a security incident that suggested that something about the company's cybersecurity strategy disclosure was not accurate. The SEC did offer guidance on the new materiality filing requirement five months into the year, enforcement resolutions related to conduct that occurred before the rules were effective, and the concern about post-incident regulatory/litigation risk did not materialize. This alert includes Form 8-K statistics for the past year, covers notable proceedings and resolution agreements (including dissenting opinions of commissioners on high-profile cases that may be a good forecast of the SEC's approach under a new administration), and offers insights to help navigate the evolving landscape of SEC cybersecurity regulations effectively.

Background. The SEC cybersecurity rule created two new obligations that became effective in December 2023: (1) file a Form 8-K under new Item 1.05 within four days of determining that the impact of a cybersecurity incident is material (with certain content requirements related to the incident) and (2) in a new section of Form 10-K (Item 1C, which refers to the requirements of a new Item 1.06 of Regulation S-K), describe (a) the company's cybersecurity strategy and processes for assessing, identifying and managing material risks from cybersecurity threats, (b) how management and the board oversee and management assesses and manages cybersecurity risks, including addressing which management positions or committees are responsible for such actions, and (c) "whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how."

Materiality. The new rule did not create a new materiality standard. The generally applicable test for materiality still applies – whether "there is a substantial likelihood that a reasonable shareholder would consider [the incident] important in making an investment decision, or if it would have significantly altered the total mix of information made available" to the shareholder.

Companies and commentators expressed a lot of concern that it would be too difficult for companies to meet the new materiality disclosure requirement and that disclosing details about incidents so early would create risks. But in the year before and after the effective date, tabletop exercises that included assessing impact for materiality purposes often led to companies determining that there were very few iterations of security incidents that would create a material impact. The scenario most commonly projected as having the potential to create a material impact was a sustained outage (usually meaning longer than ten days). Outside of technology companies where security is a core part of the product/service, qualitative factors were rarely identified as being sufficient to add to the cumulative impact such that the overall impact was material.

  • The first 18 disclosures filed under Item 1.05 of Form 8-K all stated that the company was still assessing whether the impact to financial condition/results of operations was material or the incident did not have a material impact to financial conditions/results of operations (or that they did not expect for there to be a material impact). Some mentioned that there had been impact to operations, and others said there was no impact on operations. None mentioned qualitative factor impacts. So, the SEC issued guidance on May 21, 2024, recommending that companies not file under Item 1.05 unless the company had determined that the cybersecurity incident was material. For incidents where the impact was not yet known or was not material but the company wanted to disclose the incident in a filing, the SEC encouraged companies to instead use Item 8.01, which is available for companies to voluntarily disclose information not specifically triggered by another Form 8-K item.1
  • On June 24, 2024, the SEC Division of Corporate Finance issued five new Compliance & Disclosure Interpretations mainly covering impact assessment for a ransomware attack. Essentially, the responses to the questions posed confirmed that a company still has to evaluate all factors (qualitative and quantitative) if it pays a ransom to obtain a decryptor to restore systems, the ransomware payment was covered by insurance or the ransomware payment was small.
  • Companies filed 26 initial Form 8-K Item 1.05 disclosures from December 2023 through December 2024. It was not until the 26th one – filed on December 11, 2024, by a restaurant company for an incident that disrupted its online ordering – that a filing stated that the incident had a material impact on the company's operations and financial condition (although it said it had cyber insurance and did not expect there to be a long-term impact). Earlier first filings initially said the impact was not material, had not been determined or only affected the quarter. Two initial filings mentioned qualitative factors as risks the company remained subject to (without saying the risk materialized) (the factors mentioned were "adequacy of processes during the period of disruption, diversion of management's attention, potential litigation, changes in customer behavior, and regulatory scrutiny").
  • One ransomware group attempted to use the new rules as additional extortion pressure by filing a whistleblower report with the SEC after the company did not pay a ransom and did not file a Form 8-K. The attempt drew media coverage but likely did not have the impact the ransomware group hoped it would have.

Cybersecurity Strategy Disclosure. Form 10-K Item 1C disclosures thus far have, as expected, varied depending on the nature of the company's size, systems and risks, with some common themes emerging and reflecting a cautious approach to avoid detailed information that could be exploited by threat actors.

  • With respect to cybersecurity strategy and processes, most reference risk assessment, access management, logging and monitoring, penetration testing, vulnerability scanning, threat intelligence, employee awareness and training, security monitoring, audits, and tabletop exercises. It has also been common to note use of an external framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Most companies use third parties to assist with these processes, and disclose that they conduct due diligence and undertake monitoring or auditing to address cybersecurity risks from using third-party service providers.
  • The audit or other committee of the board most often has responsibility for cybersecurity oversight, with the full board remaining responsible for the general enterprise risk management process into which cybersecurity oversight is integrated.
  • With respect to management's role, most name one or two officers with responsibility, typically including the chief information security officer (CISO), and cite such person's experience before joining the company, years of experience and, to some extent, any relevant certifications or degrees.
  • The most notable point of difference among the Item 1C disclosures is how companies have approached the requirement to describe "whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how." Many tracked the language of the rule to say there were no material effects or reasonably likely material effects, with some adding knowledge qualifiers, limited historical time frames and statements that there can be no assurance that such effects may not occur. Approaches varied as to the extent to which the disclosure covered the "reasonably likely" forward-looking aspect of the requirement, and some did not address this part of the rule at all. Cross-references to the Risk Factors section of the filing were very common, particularly when limited forward-looking disclosure was provided.
  • Companies are reminded that for fiscal 2024 filings, the Item 1C disclosure must be tagged in Inline XBRL (iXBRL). The tagging process requires companies to identify the provision of S-K Item 106 for which the tagged disclosure is responsive, as well as determine which flags to mark as "true" or "false." It is understood that this true or false designation applies to the flag for "Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant," which may be challenging to align with disclosure that does not affirmatively state whether or not such effects have occurred or are reasonably likely to occur.

Enforcement. SEC enforcement actions that were active in litigation or resolved in 2024 arose from incidents that occurred before the effective date of the cybersecurity rules. The claims were for securities fraud for insufficient disclosure as well as violations of the requirements to maintain internal controls and disclosure controls and procedures under the Exchange Act. And they were almost exclusively related to the 2020 SolarWinds incident. The civil fraud lawsuit brought by the SEC against SolarWinds and its CISO was the most notable action.

  • On June 18, 2024, the SEC entered into a resolution agreement with a marketing/packaging/print and supply chain company requiring a $2.1 million payment to resolve claims related to a December 2021 ransomware attack. The SEC's allegations were made under Exchange Act Section 13(b)(2)(B) and Rule 13a-15a for failure to maintain adequate internal accounting controls and failure to maintain adequate disclosure controls and procedures. The company used a third-party provider to review and audit alerts generated by its network's internal detection control system, and the SEC asserted that the company's internal policies with respect to the direction of, oversight of and responses to the third-party provider were insufficient because the company's personnel were not adequately reviewing the alerts from the third-party provider and were not properly investigating the third-party provider's warnings. As a result of these deficiencies in its internal accounting controls and disclosure controls, the SEC alleged that the company failed to timely respond to and disclose a ransomware attack. The charges were settled under the resolution agreement, while similar claims were pending against SolarWinds, as discussed below. Two commissioners dissented, issuing a statement (repeating a view expressed in recent prior dissents) that the SEC lacks jurisdiction under the provision to charge companies for alleged "control failures" that do not involve accounting controls in particular and that this broad reading improperly "gives [the SEC] a hook to regulate public companies' cybersecurity practices."
  • On July 18, 2024, a federal court dismissed most (but not all) of the claims brought by the SEC in an enforcement action against SolarWinds Corp. and its CISO. The enforcement action stemmed from allegations by the SEC that SolarWinds made materially misleading statements and omissions about the company's cybersecurity risks following a prolonged cyberattack. The SEC alleged that SolarWinds had failed to maintain appropriate internal accounting controls and had distributed misleading and incorrect public communications, and that a "Security Statement" by SolarWinds was materially misleading.
    • The court dismissed the SEC's claim related to Section 13(b)(2)(B) liability, determining that a company's system of internal accounting controls does not include corporate cybersecurity controls and, as a result, claims of liability for inadequate cybersecurity controls cannot be brought under Section 13(b)(2)(B).
    • The court also dismissed the SEC's claims related to SolarWinds' securities filings during and after the cyberattack, finding that the SEC failed to support its allegations of securities fraud.
    • Finally, the court dismissed the SEC's claims that public statements and communications were materially misleading, finding that these public communications lacked the detail and specificity for reliance by a reasonable investor.
    • The court did, however, permit the SEC's claim related to SolarWinds' Security Statement to proceed. The Security Statement was made prior to the SUNBURST cyberattack and provided SolarWinds' customers with information about SolarWinds' security infrastructure and practices. The court determined the SEC properly alleged that statements made about access control and password protections were misleading.
  • On October 22, 2024, the SEC entered into resolution agreements with four technology companies regarding such companies' disclosures about the impact of a compromise of their systems as a result of the exploitation of the vulnerable SolarWinds code. While these enforcement inquiries began in 2021 (ahead of the effective date of the cyber disclosure rules), the settlements were written with a view to the now effective disclosure rules. One company paid $4 million and the others each paid around $1 million in penalties.
    • The SEC alleged that one customer made misleading disclosure statements and had violations of disclosure controls and procedure requirements. The disclosure statements were misleading, in part, because the company framed ongoing risks from cybersecurity events (namely the SolarWinds compromise) as hypothetical. In addition, the SEC noted that the company's own policies and procedures were not properly followed, the company's endpoint detection and response system was improperly configured, and the system failed to automatically send alerts to a centralized monitoring station.
    • With respect to another customer, the SEC alleged that such company made a misleading disclosure statement to investors. Specifically, the SEC alleged that the company knew of two servers that had installations of the SolarWinds compromised software and the company's disclosure statements minimized the compromise and withheld material facts.
    • The SEC alleged that a third customer made misleading disclosures in part by framing the effects of the ongoing SolarWinds attack as small when the impact was significantly larger. In short, the SEC alleged that this company utilized quantification to downplay the impact of the significance of the type of data that the threat actor exfiltrated.Finally, the SEC alleged that another customer specifically maintained generic disclosures when such company had more specific information as to the nature of an ongoing security incident. The SEC also noted that this company lacked sufficient monitoring and logging capabilities to detect, mitigate or respond to the incident.
    • Two commissioners also dissented and issued a statement regarding the administrative proceedings against the four SolarWinds customers, criticizing the actions as Monday morning quarterbacking (improper hindsight review second-guessing the disclosure and reliance on immaterial, undisclosed details to support charges). The dissent added that it was not a judicious use of prosecution in a tricky area of whether hypothetical risks that have materialized require an update of forward-looking risk factors.2

Litigation. While the frequency of lawsuits by consumers against a company after disclosure of a security incident has increased over the past five years, securities and governance class action and shareholder derivative claims are rare. Of the 26 companies that filed a Form 8-K Item 1.05 regarding a cybersecurity incident in 2024, only two faced a shareholder lawsuit (and one lawsuit was withdrawn). The shareholder derivative claims that were filed were breach of fiduciary duty, indemnification, contribution, and violations of Sections 14(a) and 20(a) of the Exchange Act.

Regulation FD. Companies facing the new disclosure requirements also raised concerns regarding the application of Regulation FD when sharing with commercial counterparties such as vendors or customers additional information about a material cybersecurity incident that goes beyond the disclosure provided under Form 8-K. The SEC also issued a statement3 regarding these concerns, indicating the new Form 8-K requirements do not impact considerations under Regulation FD. Regulation FD prohibits the sharing of material nonpublic information selectively with market professionals (such as brokers, dealers and investment advisers) securities holders when it is reasonably foreseeable that the securityholder will trade on the basis of the information, without making such information simultaneously available to the public. It remains permissible for a company to privately provide information about a cybersecurity incident beyond what was disclosed in Form 8-K Item 1.05 if (i) the private information is immaterial, (ii) the parties receiving such private information are not covered by Regulation FD, or (iii) the parties receiving such private information owe a duty of trust to the company or enter into a confidentiality agreement with the company regarding the information.

Important Compliance Efforts for 2025

The SEC guidance and enforcement proceeding outcomes from the past year provide useful insight as companies are updating their Item 1C disclosures for their upcoming Form 10-Ks and continuing to refine their disclosure controls and procedures related to cybersecurity matters and considering whether a filing is required under Form 8-K. Given the outcome of the SolarWinds case and upcoming change in administration, the SEC may be limited going forward in using charges related to ineffective internal controls to cite companies for violations relating to cybersecurity incidents; however, close attention will still be paid to disclosures under the new rules and how companies are assessing materiality. As a result, the following steps are recommended:

  • Impact Assessment Process – Verify that there is an internal protocol and process for (1) detecting cybersecurity incidents, (2) classifying incidents by potential impact (e.g., low, medium, high, critical), (3) escalating incidents based on severity classification to a committee that evaluates disclosure obligations (e.g., escalate all high and critical incidents), (4) assessing impact based on applicable qualitative and quantitative factors, (5) determining and documenting the decision regarding the impact assessment, and (6) if applicable, filing a Form 8-K under Item 1.05 or 8.01. Doing an executive tabletop exercise is an effective way to test and refine this process and protocol. Having members of the audit committee or board observe the exercise or briefing them on the exercise is a good way to enable effective oversight.
  • Bringdown Process – Ensure that there is a process to review statements related to cybersecurity before quarterly and annual filings for accuracy and completeness, including based on any security incidents or assessments that occurred since the prior filing and to avoid hypothetical statements regarding actual risks that have occurred.
  • Security Statements – Review public-facing security statements for accuracy, completeness and consistency.

Footnotes

1. Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents, May 21, 2024, Erik Gerding, Director, Division of Corporation Finance (https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-incidents-05212024#_ftn1)

2. https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-solarwinds-102224

3. Selective Disclosure of Information Regarding Cybersecurity Incidents, June 20, 2024, Erik Gerding, Director, Division of Corporation Finance (https://www.sec.gov/newsroom/whats-new/gerding-cybersecurity-incidents-06202024)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More