On March 9, 2022, the Securities and Exchange Commission (SEC) proposed amendments to its rules that would, it hopes, “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” These proposed new rules augment the current guidance covering certain cyber incidents that need to be reported by public companies. Among the proposed changes are periodic reports on (1) policies and procedures concerning cybersecurity risks, (2) the entity’s board of directors’ oversight of cyber risks, and (3) management’s ability to assess and respond to cyber risks.
As Jay H. Knight, chair of the American Bar Association Business Law Section’s Federal Regulation of Securities Committee noted in the committee’s comment, “[i]nvestors only benefit when there is decision-useful information that can be provided.” In the early minutes, hours, or even days of a cyber incident, “decision-useful” information may be hard to come by as firms, businesses, and organizations work to address the failure, assess the vulnerability, and implement a response. Having the infrastructure necessary for an effective response to a cyber incident was important before the SEC’s proposed amendments—should they be implemented, that infrastructure will quickly become a necessity.
What does all of this mean? It may be too early to tell as the final rule has yet to be published, but there are steps that organizations can take to minimize the risks that more stringent reporting requirements may impose. The ABA Cybersecurity Legal Task Force (Task Force) recently published the third edition of The ABA Cybersecurity Handbook (hereinafter Cybersecurity Handbook), which combines data, expertise, and experience from professionals across industries to educate lawyers, law firms, and business professionals. While this new book focuses on all key aspects of cybersecurity, several topics addressed in the book are especially important to consider in light of the proposed SEC rule.
First, public companies should consider cyber training in the context of the company as a culture, rather than as a one-time or annual check-the-box action. Insider threats (e.g., accidental data loss and malicious data exfiltration) have increased 47 percent between 2018 and 2020, accounting for nearly a quarter of security incidents. In the United Kingdom, 88 percent of data breaches were caused by human error, with malicious activity accounting for a mere 12 percent. A culture of responsibility that prioritizes data security and emphasizes the importance of everyone in the organization is an opportunity to drastically decrease the number of adverse events that you or your client’s organization will encounter.
A culture of accountability and security requires that individuals in every role understand how they fit into a security scheme and the importance of their role. As Ruth Hill Bro, a former chair of the Task Force, and Jill Rhodes, an editor of the third edition of the Cybersecurity Handbook, wrote, organizations should “Get SMART on Data Protection Training.” SMART training consists of five steps: (1) Start training on hiring, (2) Measure what you do, (3) Always train, (4) Raise awareness and provide updates continually, and (5) Tailor training by role. Each of these steps is important in its own right, but organizations should especially take note of raising awareness and providing continual updates. Ongoing updates ensure that your entire organization is aware of current threats; response plans; and legal, ethical, and organizational requirements in the event of an incident.
Technology and bad actors are constantly evolving, and a response plan should similarly adjust in response to new and emerging threats. Ensuring that all members of your organization are aware of threats and understand their role within the response schema will provide a strong foundation from which you can respond to whatever reporting requirement the SEC implements.
Equally important is that public companies have and practice a proactive plan to address incidents, whenever and however they may arise. Risk management is nothing new to businesses, but hybrid working environments, increased reliance on networks, information as a service, and other considerations have exposed organizations to a threat landscape almost unrecognizable from the prepandemic environment.
In the Cybersecurity Handbook, Claudia Rast—the practice department chair of the Intellectual Property, Cybersecurity and Emerging Technology Group at Butzel Long and current cochair of the Task Force—and John DiMaria, an assurance investigatory fellow and research fellow with the Cloud Security Alliance, identified national and international authorities and standards that can help guide organizations creating or updating their cyber infrastructure. These authorities include domestic executive action, such as the Executive Order on Improving the Nation’s Cybersecurity; actions by the European Union Agency for Cybersecurity; and nongovernmental organizations, including the International Organization for Standardization. Rast and DiMaria distilled the numerous authorities and standards down to four steps: (1) establish your team, (2) understand your capabilities and risks, (3) develop a plan, and (4) implement and test the plan. These steps connect the security culture that you have created with an organized chain of command that, coupled with actionable procedures, will allow your organization to respond to “decision-useful” information and distinguish it from distractions.
Whatever the reporting requirements that the SEC decides to implement, they will be a small part in the larger response plan that your organization implements. A response plan must also include state, federal, international, and public relations considerations, as well as any other considerations deemed important.
The cyber-threat environment is constantly changing, but actions by regulators like the SEC can give insight into how the threat landscape is changing, where new threats could arise, and how to best respond to them. SEC guidance today already requires publicly traded companies to disclose material cyber incidents, but that responsibility will increase in a way as yet undefined. Whatever the SEC’s final rule looks like, organizations will have to adjust their cybersecurity infrastructure and response plans to adjust to the new requirements. While it is impossible to know with certainty today the specifics of the final SEC rule, these changes are an opportunity for organizations to evaluate and adjust their training, response plans, and cyber infrastructure.
The ABA Cybersecurity Handbook (third edition) can help with that evaluation and adjustment—and, in general, help lawyers prepare for the upcoming new terrain of cybersecurity reporting. You can save 20 percent with the code ABACYBER20 through February 28, 2023.