The existing patchwork of laws relating to cybersecurity can be maddening for businesses just trying to keep up. On one end of the spectrum, there are a plethora of state-specific laws, including New York’s SHIELD Act, N.Y. G.B.L. § 899-bb, that require organizations to proactively assess and protect against security risks through the implementation of effective administrative, technical and physical safeguards, even before any security incident arises.
On the opposite end, there are unique statutes (one in every state, in fact) that impose notification obligations on businesses following their discovery of a breach, an increasing number of which contain hard deadlines for compliance as short as 14 days.
And as if that were not enough already, there are also industry-specific statutes like the Health Insurance Portability & Accountability Act (HIPAA), which applies to covered healthcare entities and their third-party business associates, and the Gramm-Leach-Bliley Act (GLBA), which extends to a broad range of “financial institutions” from automobile dealerships to banks, colleges and beyond, that impose their own, sometimes highly detailed, proactive and reactive requirements.
The end result is a seemingly endless smorgasbord of regulation and a minefield for organizations that are left with no real choice: comply, in full, with a broad spectrum of often overlapping but in some cases differing requirements simultaneously, or risk potential regulatory action, lawsuits and/or fines in relation to any gaps.
For publicly traded companies in particular, the regulatory space just became even more crowded. On July 26, 2023, the SEC adopted new cybersecurity rules that are notable in several respects. First, they require SEC-regulated businesses to complete a new Item 1.05 on Form 8-K filings to describe any cybersecurity incident deemed by the business to be “material.” Further, with little exception, and with what amounts to one of the shortest deadlines for breach notification across any industry, this new disclosure must be made within just four business days after a registrant reaches a materiality determination.
Second, the new rules require publicly traded companies to, through their Form 10-K submissions, make specific annual disclosures relating to their cybersecurity risk management, strategy and governance practices. These disclosures must adequately describe, for example, the company’s processes for assessing, identifying and managing material risks that arise from cybersecurity threats (and the material effects of such risks), as well as provide an overview of both the board of directors’ oversight of cybersecurity risks and management’s role in assessing and acting upon them. Regarding this new level of cybersecurity detail in Form 10-K disclosures, the key of course will be to strike the appropriate balance between providing sufficient information to comply, on the one hand, and not disclosing too much, on the other, which could potentially make the company more vulnerable to threats. Attackers are likely to express interest in these filings for the purpose of gathering intelligence on current targets or helping them decide upon their next one.
The new rules will become effective 30 days following publication in the Federal Register. Most public companies will need to begin complying with the new Form 8-K requirements beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023 (smaller reporting companies will have until the later of 270 days from the date of publication or June 15, 2024 to begin to comply with the new 8-K requirements) and all public companies must comply with the 10-K requirements in their annual reports for fiscal years ending on or after December 15, 2023.
But the time for public companies to start planning for these new, significant changes is now, including by reviewing the sufficiency of their Incident Response Plans and testing them through table-top exercises to account for the fact that businesses will now need to implement a reasonable process to determine when a cyber incident is material, and thus, must be disclosed within four business days on a Form 8-K. Initial considerations relating to this new process should involve reviewing and revising disclosure controls and procedures for these types of incidents.
For additional information from the SEC, please see the fact sheet and complete rules. If you have any questions related to the new rules, reach out to the HSE Privacy & Data Security or Securities & Capital Markets teams.