The SEC’s Fast-Approaching Cybersecurity Overhaul for Public Companies and Regulated Entities

Shortly after those remarks, the SEC proposed a set of sweeping new rules governing the cybersecurity obligations of public companies and registered investment advisers and funds. In just a few months, those rules will be finalized, and we expect the final versions to mirror the original proposals. Given the SEC’s growing appetite for enforcement in this area, companies must proactively prepare for imminent changes to the cyber-regulatory regime.

The Changing Landscape

The SEC plays a substantial role in regulating cybersecurity of public companies and regulated entities and is seeking to expand its oversight. Cybersecurity has been a priority for the SEC’s Division of Enforcement spanning the past two presidential administrations. Enforcement Director Gurbir Grewal even characterized cybersecurity vulnerabilities as an “existential” threat to the markets. To combat this threat, the Enforcement Division established a Cyber Unit in 2017 (now known as the Crypto Assets and Cyber Unit), which brings actions against public companies and registrants for, among other things, failing to maintain adequate cybersecurity controls or failing to make proper disclosures of cyber-related incidents. Within the past year, the unit has nearly doubled in size.

The Enforcement Division has also been using “sweeps” to target broad swaths of companies impacted by cyberattacks. For example, it has been aggressively investigating the response of public companies to the highly publicized cyberattack that targeted the SolarWinds software in 2019 and 2020; companies vulnerable to the attack were those that downloaded certain versions of malicious software supplied by their vendor, SolarWinds. The SEC has been equally aggressive in pursuing cyber-related enforcement actions against regulated entities, including for violations of rules designed to prevent identity theft (Regulation S-ID) and protect confidential customer information (Regulation S-P).

Summary of Proposed Rules for Regulated Entities

On February 9, 2022, the SEC proposed new rules to address purported cyber vulnerabilities for registered investment advisers and funds. The proposed rules would require funds to implement written security policies and procedures, report significant cyber incidents on a new confidential form and adhere to new record-keeping requirements designed to facilitate the Commission’s inspection and enforcement capabilities.

Summary of Proposed Rules for Public Companies

On March 9, 2022, the SEC proposed cybersecurity rules for public companies. These rules, when adopted, will overhaul SEC oversight of issuers’ cyber regimes. Although the proposal contains many components, commenters have focused principally on new reporting requirements. Those requirements would mandate public companies to report via a Form 8-K any material cyber incidents within four days of concluding that an incident was material and to provide updates on these incidents in Forms 10-K and 10-Q. Companies will have to consider whether a cyber incident is material based on longstanding principles of materiality and guidance issued by the Commission and its staff in 2018 and 2011. The proposed rules would also require companies to report immaterial incidents that are material in the aggregate.

The SEC’s proposal is not limited to disclosure of cybersecurity incidents. The rules would amend Regulation S-K to require companies to describe their policies and procedures for identifying and managing risks from cyber threats, including from third-party service providers. Companies would be required to disclose any cyber event—even those that are entirely immaterial—if the event leads to a policy change.

Finally, the rules would impose various governance obligations. The proposal would require companies to disclose their board of directors’ oversight of cyber risks and directors’ and officers’ expertise in implementing and managing cybersecurity. Companies would have to disclose “any detail necessary to fully describe” the nature of directors’ expertise and whether they have a designated chief information officer, and, if so, that officer’s relative seniority within the company.

What Will the Regulatory and Enforcement Landscape Look Like Going Forward?

In short, we expect that the rules will likely be adopted substantially as proposed, and that enforcement activity will increase in the wake of the rules’ implementation. Because cybersecurity concerns often present complex questions for businesses, and because the SEC is pushing to implement and enforce extensive cyber regulations, momentum may build for Congress to curb the SEC’s perceived “overreach.” Unless and until that happens, though, companies, advisers, and other regulated entities should adapt their policies and mitigation approaches proactively.

How Should Public Companies Prepare?

Public companies are required to maintain a system of disclosure controls and procedures to ensure that important information is escalated to senior management and the board in a timely manner to enable executives to evaluate potential disclosure obligations. In light of those requirements, as well as the SEC’s expectations regarding timing as memorialized in the agency’s proposed cybersecurity rulemaking (discussed above), companies should evaluate their disclosure controls and procedures to assess the adequacy of internal reporting regarding cyber matters.

Because of the lack of substantial guidance regarding the circumstances under which cyber events are material, if a company experiences a significant cybersecurity event, management should evaluate disclosure obligations with the assistance of various constituencies, including legal advisors, auditors, chief information security officers and other security experts. To that end, directors and officers should consider brushing up on evolving cyber risks, and companies should have a designated chief information security officer within their governance structures.

If a company concludes that it is required to make a cyber-related disclosure, it must not downplay the seriousness of the incident. Companies should also be mindful that the SEC will expect them to disclose the following information:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and
• Whether the registrant has remediated or is currently remediating the incident.

Companies should also review their existing disclosures to ensure that they accurately discuss the quality of their cybersecurity controls. Companies that overstate the efficacy of their security risk SEC investigations and enforcement actions.

Finally, companies should review the cybersecurity controls and procedures that their third-party vendors have in place. Many cyber risks that firms face may arise from relationships with third parties (e.g., placement agents, vendors), and the SEC may begin to hold firms accountable for security failures caused by or through these partners. Companies should conduct due diligence on the protections their third-party vendors use, including by reviewing the vendors’ cybersecurity policies, obtaining a written commitment from third parties that they will maintain the firm’s information securely, implementing indemnification provisions in the event of a cyberattack or requiring the third party to use specific safeguards.

As observed by many constituencies during the notice and comment process for the pending rulemaking, there are compelling arguments against adoption of the SEC’s proposal. Among other concerns, disclosure of a cyber incident may interfere with ongoing law enforcement investigations into an intrusion. And publicly identifying vulnerabilities and changes in cybersecurity policies may also encourage repeat attacks. Companies will have to account for these potentially competing considerations when deciding what to disclose, how much to disclose, and when to do so.

How Should Regulated Entities Prepare?

As with public companies, regulated entities should assess the adequacy of their existing cybersecurity protections and update them in light of the SEC’s new proposals and enforcement actions. Such an assessment should include a review of: (1) the nature, sensitivity and location of information that the entity collects, processes and/or stores; (2) internal and external cybersecurity threats to and vulnerabilities of the entity’s information and technology systems; (3) security controls and processes currently in place; (4) the likely impact if the information or technology systems become compromised; (5) the effectiveness of the governance structures for the management of cyber risks; (6) the procedures in place for detecting, responding to and escalating awareness of cyber incidents; and (7) the policies and procedures in place for providing training and guidance to the firm’s personnel to ensure that best practices are followed.

Proactive compliance is key. Prior to the rule’s adoption regulated entities should: establish comprehensive cybersecurity risk management programs; have in place risk-based policies and procedures that non-lawyers can understand, and update those policies in response to evolving threats; provide mandatory training to employees on cyber threats, policies and procedures; invest resources in security; and anticipate cyber-focused examinations.

The SEC’s cyber-regulatory overhaul is fast approaching. In light of these impending changes, companies, advisers and other regulated entities should proactively review their cybersecurity policies, procedures and controls, and make enhancements to their cyber compliance function with the SEC’s proposed rules in mind.