Many companies far from ready for fast-approaching SEC cybersecurity deadline

Companies will have to report cyber incidents within four days of determining they're material.

Credit: ArtemisDiana/Adobe Stock

A new study shows public companies are making strides in bolstering their cybersecurity programs ahead of new federal rules effective in December, including one giving them just four days to report a cyber incident.

But Deloitte’s survey of more than 1,300 executives also suggests that legal departments may still have to crack the whip on management to update policies and practices, particularly those involving communications with third-party service providers.

With companies having just four business days after determining a cyber breach is material to report it in an 8-K, many respondents are concerned about the ability to comply with the expedited reporting timeline when a third party is involved.

Only 11% of executives surveyed by Deloitte on Aug. 24 said they have controls and protocols in place with third parties. Another 23% said they are still working on it.

A larger percentage, 27.4%, said they have not completed evaluating communications with third-party suppliers but are in the process.

Companies should conduct a due diligence review of their vendors’ and suppliers’ cybersecurity protocols, Shardul Desai, a partner at Holland & Knight, told Law.com last month.

The idea is to look for “any incident response or disclosure gaps that could hinder a company’s ability to assess the materiality of a cybersecurity incident” in a timely manner, he said.

Those third parties might be reluctant to share much–mindful of potential litigation to follow. But establishing ahead of time what kind of information could be shared quickly would go a long way in helping ensure the companies meet their requirements to make a material determination, Desai added.

A company then could file an 8-K and update the SEC later with subsequent filings.

The new form 8-K Item 1.05 will need to include scope, nature and timing of a cyber incident, “as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations,” Dechert said in detailed analysis of the new rules.

So far just 33.9% of public company executives polled by Deloitte have evaluated communications with third-party service providers.

“Whether organizations are publicly traded or do business with public companies, clear communication from top leadership about cyber risk management expectations can help mitigate security risks within organizations themselves, but also with their broader supply chains and ecosystems,” Daniel Soo, a leader of Deloitte Risk & Financial Advisory, said in a statement.

Although companies currently are required to report material cybersecurity breaches, they’ve not faced the pressure of a four-day deadline after discovering a material breach.

Companies need to determine whether or not an incident is material “without unreasonable delay,” one of those regulatory clauses just vague enough to cause trepidation among management and in-house lawyers.

George Gerchow, a faculty member for the Institute of Applied Network Security, said the majority of companies are unprepared, amounting to a potential nightmare for firms lacking a sound framework for managing data security.

Few have run incident-response exercises leading to identification, disclosure “and the plethora of inbound (communications) that will need to be triaged,” Gerchow said recently.

Also part of the SEC’s new cybersecurity rules is Regulation S-K Item 106. Companies must “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.”

They also must describe the board oversight of risks from cyber threats, and management’s “role and expertise” in assessing and managing material risks.

Such information will have to be included in their annual reports for fiscal years ending on or after Dec. 15.

Public companies will have to comply with the 8-K reporting rule as of December 18, while smaller companies won’t need to file Form 8-K disclosures until June 15 of next year.

Deloitte’s survey also found that nearly 65% of executives said their public company will strengthen its cybersecurity programs, with over half of these executives also pushing their third parties to do the same.

Of those companies, 17% have been preparing for at least six months, 19% for the last 6-12 months and nearly 17% for more than a year.

The SEC proposed changes to its cybersecurity regulations over a year ago, saying a more consistent reporting regime will help companies and investors.

However, critics have warned the rules could provide fodder for shareholder lawsuits. Plaintiff’s attorneys could allege a company had more information about a breach than it actually disclosed or should have disclosed, for instance.

Some are also concerned insurers might impose more stringent underwriting standards against such claims.

Related: