Aigbe Law Blogs

Navigating New SEC Cybersecurity Disclosure Rules: Compliance and Reporting Guidelines for Companies

Author: Destiny Aigbe

October 2, 2024

In late 2023, the U.S. Securities and Exchange Commission (SEC) adopted stringent cybersecurity disclosure rules, highlighting the increasing importance of transparency in addressing cyber incidents. The new rules under Item 1.05 of Form 8-K are part of a larger effort by regulators to ensure that investors are fully informed about material cybersecurity incidents that could impact a company’s operations or financial performance. As cyberattacks grow more sophisticated, the SEC’s rules aim to mitigate the risks by ensuring public companies report cyber incidents promptly and comprehensively. For legal professionals advising these companies, understanding the nuances of these rules and guiding clients through the compliance process is crucial.

Overview of New Cybersecurity Disclosure Rules

The new rules, effective from July 2023, require companies—both domestic and foreign—to disclose material cybersecurity incidents. Under Item 1.05 of Form 8-K, companies must disclose specific details of any material incident within four business days of determining its materiality. The required information includes the nature of the cyber incident, the scope and timing, and any material impact (or likely impact) on the company’s operations or finances.

Given the sensitive nature of cybersecurity incidents, one important provision allows for the delay of the 8-K filing if the U.S. Attorney General informs the company in writing that disclosure would pose a substantial risk to national security or public safety.

When to Disclose Cybersecurity Incidents

The challenge for many companies lies in determining when a cybersecurity incident becomes material. Materiality is generally interpreted as whether an event would significantly alter the total mix of information available to investors. Under the SEC’s guidelines, incidents may be deemed material if they compromise critical systems, expose customer or employee data, disrupt business operations, or lead to significant financial loss.

To comply, companies need to develop internal protocols to evaluate cybersecurity incidents as they arise and have well-defined criteria to determine whether an incident is material. A key element for law firms advising clients is to ensure that companies have a robust risk management and reporting system in place to detect and assess potential cyber threats in real-time.

New SEC C&DI Guidance on Cybersecurity Reporting

In conjunction with the adoption of these new rules, the SEC published three new Compliance and Disclosure Interpretations (C&DIs) to clarify the application of the rules:

  1. Deadline After Denial of Delay Request: If a company requests a delay in filing the 8-K due to national security concerns but the Attorney General declines or does not respond, the company must file the 8-K within four business days of determining that the incident is material. The SEC clarified that merely requesting a delay does not relieve the company of its filing obligation.
  2. Deadline After Expiration of Delay: If the Attorney General allows for a delay in filing but declines to extend the delay beyond the original time period, the company must file the 8-K within four business days of the expiration of the delay.
  3. Filing After Early Termination of Delay: If the Attorney General terminates a previously approved delay (due to reduced national security concerns), the company must file the 8-K within four business days of the Attorney General’s notification.

These clarifications emphasize that companies must stay vigilant and closely monitor communication with the Attorney General and other relevant agencies when dealing with material cyber incidents that could impact national security or public safety.

Key Steps for Compliance

Given the complexity and potential legal ramifications of the SEC’s cybersecurity rules, law firms can play an integral role in helping clients navigate these requirements. Below are key steps to ensure compliance:

  1. Establish Incident Response Teams: Companies should establish dedicated incident response teams that include cybersecurity experts, legal counsel, and compliance officers. These teams should be trained to evaluate cyber incidents rapidly and assess materiality based on the SEC’s guidelines.
  2. Develop Risk Management Policies: Cybersecurity risk management should be integrated into broader corporate governance strategies. This includes adopting a robust cybersecurity policy that addresses both preventative measures and response protocols. Legal advisors should ensure that these policies are up to date with current regulatory expectations.
  3. Timely Reporting and Communication: Companies must establish clear communication lines with legal counsel, the board of directors, and key stakeholders to ensure timely reporting of material cyber incidents. Filing deadlines must be adhered to strictly, with proper legal guidance regarding any delay requests.
  4. Legal Oversight of National Security Concerns: If the company believes that disclosing a cyber incident poses a national security risk, legal counsel should immediately engage with the Attorney General’s office to request a delay. Regular communication and updates with government agencies are essential to avoid missing critical deadlines.
  5. Board Oversight and Training: Boards of directors should receive regular training on the SEC’s cybersecurity requirements and the company’s internal response policies. Directors should be well-informed about their fiduciary responsibilities regarding cybersecurity risk and reporting obligations.

The Broader Impact of SEC’s Cybersecurity Rules

The SEC’s new rules signal an increased emphasis on corporate accountability when it comes to cybersecurity. As companies rely more heavily on digital infrastructure, the risk of cyberattacks becomes a pressing concern for both management and shareholders. These rules align with a broader regulatory trend that seeks to safeguard investors by ensuring that they have access to timely and accurate information about cyber risks that could impact a company’s value.

Law firms advising public companies must take a proactive approach to ensure that clients are not only compliant with the letter of the law but are also equipped to handle the challenges posed by the evolving cyber threat landscape. As cyberattacks become more sophisticated, so too must a company’s legal and operational response strategies.

Conclusion

With the adoption of the new SEC cybersecurity rules, the stakes for public companies have never been higher. Ensuring compliance with Form 8-K filing requirements and the SEC’s C&DIs is crucial for mitigating legal risks and protecting a company’s reputation. Law firms should guide clients in developing a comprehensive cybersecurity response plan that addresses risk management, legal reporting obligations, and communication with federal agencies.

As the SEC continues to refine its cybersecurity regulations, staying ahead of these changes will ensure that companies remain compliant while maintaining the trust of investors and regulators alike.

About the Author

Destiny Aigbe

Managing Partner

Aigbe Law PLLC | Dark Alpha Capital

A Corporate and Securities Law Firm

With a robust foundation in law and finance, Destiny Aigbe has carved a distinguished career, underpinned by his pivotal role in orchestrating and managing complex transactions that have propelled companies to significant growth and market prominence. As a seasoned attorney and strategic advisor, Destiny has been instrumental in facilitating over $75 million in capital raises, demonstrating a keen acumen for securing funding and fostering investor confidence.

Destiny's leadership in the execution of six successful public listings, through meticulously structured reverse mergers and registration statements, showcases his adeptness in navigating the intricacies of the public markets and his capacity to guide companies through transformative growth phases. His involvement in five mergers as an operator further illustrates his versatile skill set, extending beyond legal expertise to include hands-on management and operational strategy, though these ventures did not involve funding.

Destiny's professional journey is marked by a commitment to excellence and a diverse range of experiences, from representing a wide spectrum of clients including public and private companies, and investment firms, to holding significant roles within the US government. His tenure with the US Department of State and the National Institutes of Health highlights his adaptability and his contribution to the advancement of entrepreneurial ventures in sectors like biotechnology and nanotechnology through strategic funding initiatives.

An alumnus of Vanderbilt University Law School, Destiny focused on Finance and Mergers & Acquisitions, further honing his expertise with a certificate in Law and Business. His foundational education in Finance was obtained with honors from the University of Maryland's Robert H. Smith School of Business, which laid the groundwork for his subsequent achievements in investment banking and legal practice.

Residing in the Washington, D.C. area, Destiny Aigbe continues to leverage his extensive experience and insightful leadership to drive innovation, growth, and success for his clients and the ventures he is involved with.

© Aigbe Law, PLLC

Categories

Securities LawGoing PublicBanking and FinancePublic FinanceForeign Direct InvestmentUplistingIntellectual PropertyCorporate TaxInterviewsLitigationInitial Public Offerings (IPOs)Industry InsightsUS Export ControlsBitcoinArtificial IntelligenceCybersecurityPatentReal EstateCorporate SecuritiesAdministrative LawWhite Collar DefenseMergers and Acquistions