Rule hastening disclosure of cyber breaches likely to ignite litigation, insurance headaches
Public companies will shoulder the potentially costly burden of a new federal rule giving them just four days to report a cybersecurity incident.
Public companies will shoulder the potentially costly burden of a new federal rule giving them just four days to report a cybersecurity incident—a nightmare for firms lacking a sound framework for managing data security.
Although likely to spur more consistent and earlier reporting of data breaches, the Securities and Exchange Commission rule also provides red meat for shareholder lawsuits and likely will prompt insurers to impose more stringent underwriting standards against such claims.
“Registrants are almost certain to face more lawsuits alleging breach of duty of oversight claims,” Reed Smith warned in a client advisory last week.
The SEC already required companies to disclose cyber breaches they deemed to be material. Under the new rule, a public company will now have four business days from the time it determines a cybersecurity event is material to file a Form 8-K.
That is, the clock does not start running from the date of discovery but rather from the time it is deemed by the company to be material. And that determination must be made “without unreasonable delay” following the discovery.
Another treasure trove for plaintiffs’ attorneys might be in the two additional disclosures that will be required to make in a company’s annual Form 10-K.
Companies must describe their “processes, if any, for assessing, identifying and managing material risks” from cyber threats, the SEC said.
This includes whether risks from current or previous incidents have materially affected “or are reasonably likely to” materially affect the company.
In addition, the 10-K must describe the board’s oversight of risks, and management’s role and expertise in assessing and managing material risks from cyber threats.
“Companies have to be more forthright about the methodologies and frameworks they are using to manage cybersecurity,” said Scott Kannry, CEO and co-founder of Axio Global, a maker of cyber-management software.
Yet attorney Kevin LaCroix, executive vice president of insurance risk firm RT ProExec, writes in The D&O Diary that he has concerns about what securities plaintiffs’ attorneys will do with such information.
He envisions that following an incident they will scrutinize the disclosure and then argue the company did not properly disclose the risk to investors or challenge the board oversight process of cybersecurity.
“Again, the plaintiffs’ lawyers armed with the benefit of hindsight after an incident has occurred will go back and scrutinize the prior board governance disclosures to try to argue that actual practices differed or omitted disclosures of oversight inadequacies that permitted the incident,” LaCroix wrote.
Although the SEC’s new rule became effective on Tuesday, most public companies won’t have to comply with the four-day incident reporting requirements until mid-December.
From his vantage point as a faculty member for the Institute of Applied Network Security, George Gerchow says the majority of companies are unprepared.
“They have not faced this kind of pressure to file an 8-K within four days of discovery of an issue that is considered of material impact,” said Gerchow, who also is chief security officer and senior vice president of IT at Sumo Logic.
Most public companies have not run proper tabletop and incident response exercises leading to identification, disclosure “and the plethora of inbound (communications) that will need to be triaged,” he added.
“Most companies do not have these processes in place, and this is why we see now almost daily news about organizations that were breached months before later disclosure,” Gerchow said.
Kannry said companies must quickly evaluate the methodologies they have in place that govern cybersecurity from a board-level standpoint. “If it’s a hodgepodge of spreadsheets and new consultants every year, you aren’t going to have consistency.”
He said companies should ask if they have the cybersecurity equivalent of a financial planning and analysis platform used in financial management reporting. “If the answer is yes, you have the underpinnings to meet the requirement.”
But the new rule raises numerous questions that are hard to answer at this point, such as how companies can cope with the four-day response when a third-party is involved?
Shardul Desai, a partner at Holland & Knight, said companies should conduct a due diligence review of their vendors’ and suppliers’ cybersecurity protocols.
Many companies use questionnaires as part of that assessment, but those may need to be updated, Desai said, “to assess for any incident response or disclosure gaps that could hinder a company’s ability to assess the materiality of a cybersecurity incident” in a timely manner.
He also recommends that third party vendor contracts contain a provision requiring disclosure of a cyber incident within a short period of time–say 48 hours after the discovery.
That could be problematic for vendors or suppliers anticipating litigation following an incident. But, Desai added, “if the parties understand the types of information that can be shared quickly during a cybersecurity incident, it would go a long way to ensure that companies meet their requirement” to make a materiality determination.
“It really depends on what the third party is not providing,” said Howard Berkenblit, a partner at Sullivan & Worcester. “If the company already knows the incident is material but just needs some more details, then it must nonetheless file the 8-K with the information it has.”
The SEC acknowledged that a company may amend its initial 8-K to add more information that was not yet available, Berkenblit said.
On the other hand, if the company needs the information from the third party before it can make the determination of materiality, it can wait “at least a little bit, though it needs to act as soon as reasonably practicable.”
The problem, Berkenblit explained, is that everything will be viewed in hindsight. “Companies will have some difficult judgement calls about when to initially disclose and when to amend those disclosures.”
And they’d better be careful at it.
LaCroix said he can easily imagine a securities suit filed based on grounds that an initial, “rushed” four-day disclosure was misleading when an incident is later revealed to be of greater scope or over a longer time period than first thought.
“My fear is the disclosures that the rules require companies to make in a big rush may force companies to have to ‘go public’ before they fully understand the situation, and that plaintiffs’ lawyers will later claim these rushed disclosures were misleading and that the companies deliberately tried to ‘soft pedal’ the description of the incident.”
A number of lawyers and IT experts recommend assembling response teams that when an incident occurs can expeditiously grasp the nature and extent of a data breach—including a pathway to escalate the incident to the appropriate managers.
Among other things, the team would preserve records related to a potential incident. “Far too often, initial responders immediately engage in eradication and remediation activities that destroy valuable evidence needed for a more thorough forensics investigation,” Holland & Knight noted in a client advisory last month.
Desai suggests companies also develop a “materiality assessment team” that includes attorneys and senior executives experienced in making materiality assessments. They would work with members of the incident response team, who can provide crucial information.
With the threat of litigation arising from an incident, companies also need to have in place adequate insurance coverage, usually in the form of cyber insurance and directors and officers insurance. Hunton Andrews Kurth noted that coverage generally can be modified to further expand or strengthen coverage.
“It will behoove public companies to be extremely meticulous and careful in filling out applications for cyber coverage, given that their cybersecurity practices will be public,” Reed Smith noted in its client memo.
“There will almost certainly be coverage denials based on the insureds’ actual cybersecurity practices and procedures being allegedly inadequate or inconsistent with their disclosures.”
The average cost of a data breach in the U.S. last year was $9.44 million, according to IBM Security, up 42% from 2020.