Aigbe Law Blogs

SEC Publishes More New C&DI On Cybersecurity Rules

Author: Destiny Aigbe

July 31, 2024

The U.S. Securities and Exchange Commission (SEC) has recently published additional Compliance and Disclosure Interpretations (C&DI) on cybersecurity incident disclosures, further clarifying the requirements set forth under Item 1.05 of Form 8-K. This follows the adoption of final rules in July 2023, mandating both domestic and foreign public companies to disclose material cybersecurity incidents. These rules are part of the SEC’s broader effort to enhance transparency and accountability regarding cybersecurity risks and incidents, which have become increasingly critical in today’s digital landscape.

Key Aspects of the SEC's Cybersecurity Disclosure Rules

1. Material Cybersecurity Incident Reporting: Under the new rules, companies must disclose any material cybersecurity incident, detailing the nature, scope, timing, and material impact or potential impact of the incident. This disclosure must be filed on Form 8-K within four business days after the determination that an incident is material. The SEC’s guidance emphasizes that the cessation or resolution of an incident does not exempt the company from the requirement to report if the incident is deemed material.

2. Delay Provisions for National Security: Recognizing the sensitive nature of cybersecurity breaches, the SEC has included provisions that allow for a delay in disclosure. If the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, companies may delay filing the Form 8-K. The delay can be extended in increments, not exceeding 30 days each, up to a maximum total of 120 days.

3. Assessing Materiality: The SEC provides a standard for assessing materiality: whether a reasonable investor would consider the information important in making an investment decision. This includes a thorough consideration of both quantitative and qualitative factors, such as financial impact, operational disruption, reputational damage, and potential legal or regulatory consequences.

Recent C&DI Clarifications

The latest C&DI published by the SEC in June 2024 provide further clarity on specific scenarios:

  • Ransomware Payments and Materiality Determination: Even if a ransomware payment resolves the incident, companies must still determine whether the incident was material based on its potential impact on the company, not merely the resolution.
  • Insurance and Materiality: The fact that a company is reimbursed for a ransomware payment by insurance does not necessarily render the incident immaterial. Companies must consider all relevant factors, including potential increases in insurance costs or future coverage limitations.
  • Size of Ransomware Payment: The size of a ransomware payment alone does not determine materiality. Companies must assess the broader impact of the incident, including reputational harm and long-term operational effects.
  • Multiple Cybersecurity Incidents: Companies must consider whether a series of related incidents, even if individually immaterial, collectively represent a material impact that requires disclosure.

Practical Implications for Companies

The SEC’s new requirements and clarifications necessitate a proactive approach to cybersecurity incident management and disclosure. Companies should:

  1. Develop Robust Incident Response Plans: Include protocols for assessing materiality and disclosing incidents in compliance with SEC rules.
  2. Document Decision-Making Processes: Keep thorough records of all materiality assessments and related decisions to provide transparency and accountability.
  3. Coordinate with Legal and Compliance Teams: Ensure alignment on the interpretation of “material impact” and the appropriate timing and content of disclosures.
  4. Monitor Insurance and Regulatory Developments: Stay informed about changes in insurance policies and regulatory expectations that may affect disclosure obligations.

Conclusion

The SEC’s enhanced focus on cybersecurity disclosures underscores the increasing importance of cybersecurity in corporate governance and risk management. By adhering to these new rules and guidelines, companies can better manage risks, maintain investor confidence, and demonstrate a commitment to transparency in handling cybersecurity threats. The evolving landscape of cybersecurity regulations makes it imperative for companies to stay informed and prepared to address both the technical and regulatory challenges that arise.

About the Author

Destiny Aigbe

Managing Partner

Aigbe Law PLLC | Dark Alpha Capital

A Corporate and Securities Law Firm

With a robust foundation in law and finance, Destiny Aigbe has carved a distinguished career, underpinned by his pivotal role in orchestrating and managing complex transactions that have propelled companies to significant growth and market prominence. As a seasoned attorney and strategic advisor, Destiny has been instrumental in facilitating over $75 million in capital raises, demonstrating a keen acumen for securing funding and fostering investor confidence.

Destiny's leadership in the execution of six successful public listings, through meticulously structured reverse mergers and registration statements, showcases his adeptness in navigating the intricacies of the public markets and his capacity to guide companies through transformative growth phases. His involvement in five mergers as an operator further illustrates his versatile skill set, extending beyond legal expertise to include hands-on management and operational strategy, though these ventures did not involve funding.

Destiny's professional journey is marked by a commitment to excellence and a diverse range of experiences, from representing a wide spectrum of clients including public and private companies, and investment firms, to holding significant roles within the US government. His tenure with the US Department of State and the National Institutes of Health highlights his adaptability and his contribution to the advancement of entrepreneurial ventures in sectors like biotechnology and nanotechnology through strategic funding initiatives.

An alumnus of Vanderbilt University Law School, Destiny focused on Finance and Mergers & Acquisitions, further honing his expertise with a certificate in Law and Business. His foundational education in Finance was obtained with honors from the University of Maryland's Robert H. Smith School of Business, which laid the groundwork for his subsequent achievements in investment banking and legal practice.

Residing in the Washington, D.C. area, Destiny Aigbe continues to leverage his extensive experience and insightful leadership to drive innovation, growth, and success for his clients and the ventures he is involved with.

© Aigbe Law, PLLC

Categories

Securities LawGoing PublicBanking and FinancePublic FinanceForeign Direct InvestmentUplistingIntellectual PropertyCorporate TaxInterviewsLitigationInitial Public Offerings (IPOs)Industry InsightsUS Export ControlsBitcoinArtificial IntelligenceCybersecurityPatentReal EstateCorporate SecuritiesAdministrative LawWhite Collar DefenseMergers and Acquistions