The SEC’s cyber security incident 8-K reporting rule – an incident response game-changer

March 2024  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2024 Issue

With the advent of artificial intelligence (AI) and the prospect of quantum computing looming, the landscape of cyber security and incident response is undergoing a profound transformation, characterised by heightened risks, reporting and impacts arising from data breaches. However, this evolution can be traced back to seminal events like the Colonial Pipeline ransomware attack, which underscored the critical need for robust protection of vital infrastructure against increasingly aggressive and organised cyber criminal networks, as well as nation-state actors. These adversaries have been waging a low-level yet intensifying cyber conflict against the US and other western economies, pushed by geopolitical tensions and conflicts in regions such as Ukraine, southeast Asia and the Middle East. This evolving scenario has elevated cyber security from a technical concern to a mission-critical component of economic and national security, compelling organisations and governments alike to reassess and fortify their incident response strategies and operational resiliency. Regulators and plaintiffs’ lawyers are also part of this ecosystem, and they create additional legal, reputational and business risks for companies that fall victim to data breaches.

The shift of the threat and risk landscape, as well as incident response, is being accelerated by the Securities and Exchange Commission’s (SEC’s) recently implemented cyber security incident reporting 8-K rule, which mandates more rigorous and timely disclosure of material cyber security incidents by publicly traded companies. The SEC reporting cyber incident rule, combined with the vastly increased threat and regulatory and litigation environment, has created a perfect storm of corporate risk, and has changed the breach notification game.

Background

On 18 December 2023 the SEC’s cyber incident 8-K reporting came into effect for most US domestic public companies and certain foreign private issuers. Under the rule, public companies are required to report certain material cyber security incidents within four business days of determining that an incident is material. Materiality in this context ties back to the expectations of a reasonable investor and whether a substantial likelihood exists that they would consider the information about the incident important in making an investment decision.

Broader notification trigger

With a generic definition of a cyber security incident and broad material impact standard, the ‘trigger’ is low. Any incident that a company discovers requires a materiality decision without unreasonable delay. Registrants are required to publicly report incidents that have caused or are reasonably likely to cause a material impact to the company. Prior to the SEC cyber rule, most breach notification laws were triggered by personal information breaches, and in the US a relatively narrow band of sensitive personal information. In addition, personal information breach notification laws typically do not require public notification – breached companies were only required to notify affected individuals and in some instances state regulators. Companies were not required to provide notice of ransomware attacks causing operational impacts, the unauthorised acquisition of intellectual property or confidential business information or for breaches more likely to cause reputational harm due to bad publicity or a loss of customer trust. This has all changed. Any cyber security incident that impacts a public company could be publicly reportable shortly after learning of the incident.

New players on top of old players

The SEC cyber rule also brings new players into the breach notification game: investors, who are also plaintiffs for security class actions and derivative suits, and the SEC. The SEC has already demonstrated a willingness to enforce against public companies for allegedly failing to escalate cyber security incidents or vulnerabilities to management, failing to report certain cyber security incidents, and alleged material omissions related to security incident reporting. Notably, for some data breaches – those involving personal information and soon, under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), those involving critical infrastructure – interacting with the SEC and investors, is on top of having to interact with consumers, business customers and other local, state and federal regulators. The game changer here is the heft of the SEC and investor community and the likelihood that mistakes related to the required materiality analysis and incident notification process could cost companies dearly.

The new ‘risk of harm’ analysis – materiality

While materiality is generally measured with reference to reasonable investor expectations, the SEC’s incident reporting rule focuses on material impacts or reasonably likely material impacts resulting from cyber security incidents. Security and legal departments, along with senior management and board members, are currently trying to determine what materiality means to their organisation and how their company should analyse materiality in real-time in the wake of an imminently exploitable vulnerability or security incident. If the partial intent of the SEC was to bring these disparate stakeholders together, the SEC cyber rule is working.

The challenge, and game-changer here, is coming up with a framework for materiality assessment that: (i) is reflected in a materiality assessment playbook (MAP) that ties into the organisation’s broader incident response and crisis management plans; (ii) funnels out security issues, events, pings and less severe cyber security incidents, reducing the noise and enabling organisations to focus on incidents that truly pose material risks; (iii) establishes an appropriate escalation path to management to enable materiality decisions; (iv) identifies a materiality assessment team that is both nimble and knowledgeable concerning not only incident response, but more importantly quantitative and qualitative business impacts across the organisation that can result from security incidents; (v) is flexible while at the same time being reasonable and defensible should a company’s decision making come into question in a legal setting; and (vi) is based on materiality criteria and scenarios that are developed well before an incident, so they can be accessed and used quickly when an incident occurs.

The process of developing a MAP forces the security and management function to think carefully about the nexus between relevant cyber security threats and potential material impacts that could result from those threats. Significantly, while this work is being done to address the SEC’s 8-K reporting requirements, by undertaking this effort companies can identify opportunities to break the chain between and decrease the likelihood of cyber security threats resulting in material impacts. Again, is this an unintended ripple effect, or a goal of regulators who put the rule into effect?

Potential downsides and unintended ripple effects of the rule

Unfortunately, there are some significant game-changing downsides to the rule. The SEC made a major mistake imposing an arbitrary four business day reporting deadline. While registrants still have some timing flexibility – a materiality decision must be made without unreasonable delay, which affords some time to investigate and determine facts necessary to enable a materiality assessment – the quick turnaround will undermine some of the SEC goals and cause greater risk to companies. The stated purpose of the mandatory 8-K is to enable investors to make decisions concerning buying and selling stocks. To do so, the SEC apparently thinks investors need to know about incidents very quickly. Unfortunately, this is causing companies to report cyber security incidents early when they do not have enough information to understand the scope and impact of the incident. Some are filing 8-K placeholders that reveal that an incident occurred, but also indicate that the registrant has not determined if it will result in a material impact. If the intent of the rule is to provide the market with accurate information to enable decision making, how does flagging an incident in this manner achieve that goal? What are investors supposed to do with that information?

Similarly, the tight reporting deadline is likely causing companies to file 8-Ks that identify material impacts without having completed a reasonable investigation. As any experienced incident response lawyer knows, cyber security incidents tend to look very different on day one or even week one, than they do after a thorough forensic investigation has been conducted. It is not unusual for breaches to look like worse-case scenarios early on, only to find that they are much less severe after retaining a skilled investigator. Unfortunately, false positives reported within the SEC’s arbitrary deadline will create more uncertainty for investors, not less.

Finally, it is not clear that regulators have considered how threat actors might leverage the reporting incident requirements and four business day deadline. Cyber criminals who steal data and ransomware attackers use time as leverage. These attackers steal data and threaten to release it publicly, put it on the dark web or inform customers that their data was exposed, unless an extortion is paid. Faced with this pressure and the risk that a threat actor may disclose a breach to the market before, as a hedge, a breached registrant will be incentivised to file an 8-K to pre-empt the threat actor. This may occur even if the cyber security incident does not turn out to be material. Again, this is likely to lead to less accurate information for decision making and more uncertainty for investors. Threat actors leveraging SEC reporting to their advantage is not a hypothetical: we have already seen an attack group make a complaint to the SEC because the registrant it breached failed to file an 8-K. This is likely just the beginning; it will not be surprising to see threat actors attempt to short a registrant’s stock price after a data breach in anticipation of the registrant’s 8-K cyber filing and resulting stock value dip.

Conclusion

We are at a key inflection point when it comes to cyber security threats and mitigating the potential impacts of those threats. The risks and stakes have never been higher for businesses and governments. The SEC cyber rule adds to the complexity of the current threat and risk environment. While intended to enable investors to make better investment decisions, it also appears intended to incentivise a broader set of behaviours. While well-intentioned, it is not clear that legislating by regulating is going to yield beneficial results across the board. While we are seeing a renewed focus by senior management and boards on cyber security, it is not clear if this rule and the transparency it requires will actually improve security in the long run. More concerning, it is fair to wonder if the rule might increase exposure and be used as a tool by the very threat actors it seeks to nullify. Either way, the rule has changed and will continue to change the incident response playing field for a very long time.

 

David Navetta is a partner at Cooley LLP. He can be contacted on +1 (720) 566 4153 or by email: dnavetta@cooley.com.

© Financier Worldwide

BY

David Navetta

Cooley LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.