Balancing the disclosure of cybersecurity incidents has long been a challenge for those on the front lines. That hasn't changed, and recent regulatory activity should not change the challenges facing violation lawyers. In other words, the notification obligation and its triggers were complex to apply to on-the-ground events. When did the company determine that there was access or acquisition? Do they know with any degree of certainty what happened?Also, when an incident response investigation is underway, regulators, investors, , what should be said to affected individuals?Currently, the SEC Adopts regulations effective December 18, 2023, requiring listed companies to disclose significant cybersecurity incidents within four business days.But the FBI has already proposed guidance How victims can ask the U.S. Attorney General to delay disclosure on national security or public safety grounds.
As we know, the risk landscape is evolving.
Cyber risks come from many different angles. For example, we prevent risks from materializing and appropriately remediate and address all identified risks in a timely and efficient manner. In mid-November 2023, the ALPHV/BlackCat ransomware group reportedly filed a complaint with the SEC against regulated entities for failing to timely report cybersecurity incidents committed by BlackCat itself, threatening It reminded me of the creativity of the actor. With this brazen action, BlackCat demonstrated a novel but real risk that threat actors can victimize organizations through any available means.
State regulatory requirements remain dynamic.
The SEC's regulatory updates come as state and federal regulators continue to implement new cybersecurity reporting requirements. As of December 1, 2023, New York State Department of Financial Services (NYDFS) –Regulated entity must notify NYDFS within 24 hours of extortion paymentwithin 30 days thereafter, explain why you are doing so, your commitment to finding an alternative, and why payment is subject to the following conditions: Office of Foreign Assets Control rules and regulations. These extortion payment requirements are in line with the existing requirement that an NYDFS-regulated entity “shall notify NYDFS as soon as practicable, and in no event within 72 hours, after an NYDFS-regulated entity determines that a cybersecurity incident has occurred.” This is in addition to the requirements. [regulated] COMPANY, ITS AFFILIATES OR THIRD PARTY SERVICE PROVIDERS. ”
As of December 18, 2023, SEC-regulated companies “must disclose any cybersecurity incidents they experience that are determined to be material within four business days of that determination.” The disclosure must describe the nature, scope, and timing of the incident and its impact or “reasonably likely” impact. The new rules also require disclosure of registrants' processes for assessing, identifying, and managing significant risks from cybersecurity threats.
These new requirements emphasize the importance of timely identification, investigation, and reporting of cybersecurity incidents by regulated entities. Although the NYDFS and SEC rules do not appear to pose a direct conflict, such that compliance with one regime precludes compliance with the other, these rules inherently create a risk of conflict. For example, the timing of disclosures to NYDFS, including ransom payments, is critical to creating a defensible position regarding the significance of the risk with respect to SEC requirements. Disclosure to the NYDFS could potentially create an inference of materiality and could add time to SEC reporting. Additionally, NYDFS has long required certain cyber risk management processes, and these processes may now be subject to disclosure for certain SEC-regulated entities. Organizations must ensure that the disclosed processes are sufficient for the purposes of the NYDFS or risk regulator investigation. Similarly, the SEC disclosure rules, unlike most public breach disclosure rules, authorize the U.S. Attorney General, and only the U.S. Attorney General, to determine that a delay is necessary, making FBI guidance necessary. is. Most violation disclosure rules allow other law enforcement agencies to request delayed public reporting and disclosure.
These are all risks that threat actors can exploit. After all, they are in a unique position to have first-hand information about the nature, scope, and timing of cybersecurity incidents.
why is this important
U.S. breach notification laws typically give organizations several weeks to disclose data breaches that: 60 days for breaches of HIPAA-regulated protected health information Or 30 days under most state laws. This gives companies time to do their research and come to a reasonable conclusion. By reducing the period to four business days while avoiding “unreasonable delays,” the SEC is reducing the pressure to read, respond, and respond to cybersecurity incidents that can cause significant harm to organizations. It's getting stronger. Additionally, for companies serving organizations in highly regulated industries such as healthcare and financial services, the new SEC rules could upset the delicate balance between regulated entities and their vendors. Masu.
When a major incident occurs, businesses need to make decisions faster with less information. Under the SEC's new rules, publicly traded companies must disclose a material cybersecurity event within four business days of determining that it has occurred. “Cybersecurity Event” means “an event on or through Registrant’s information system that jeopardizes the confidentiality, integrity, or availability of Registrant’s information system or the information residing thereon. a fraudulent event, or series of related fraudulent events. The SEC's inclusion of “a series of related acts of misconduct” makes clear that the significance of this objective should be considered in the aggregate and not in isolation. Materiality determinations are to be made “without undue delay” in accordance with the instructions. The SEC explains that this avoids putting pressure on companies to reach conclusions with insufficient information, but the risks still make companies move quickly under the newly imposed pressure. It is necessary to take action. For example, a very typical scenario presents notable challenges. Imagine a company making an immaterial extortion payment. Although the company has reported the payments to NYDFS, it is still working to determine whether this matter is actually subject to the SEC's new disclosure requirements, so the SEC and the investing public are not yet aware of this issue. Not reported. Once that portion is completed, the company will then explain to NYDFS the reasons for making the payment and re-determine whether the facts and circumstances surrounding the payment or the reasons for it are material and require disclosure under SEC rules. is needed. The timing of when these decisions were or should have been made is likely to come under scrutiny from regulators and litigants alike.
However, materiality for purposes of federal securities law can be a complex concept to apply to cyber risks and cyber incidents.is measured from It is a rational shareholder perspective and can be measured both qualitatively and quantitatively.. In a world where shareholders may lack the necessary perspective on how serious a particular cybersecurity incident is, investors, and indeed the general public, may not be aware of it either. Scope of daily cyberattacks on US companies– Publicly traded companies may consider erring on the side of assuming materiality to avoid facing distracting litigation over the timing and content of disclosures. Litigating shareholders may assume and argue that once a company discovers that an incident has occurred, it should immediately recognize that the incident is material and requires disclosure. That's not true and hindsight always assumes he's 20/20. It takes time for companies to assess the scope and impact of an incident on their operations and systems. But shareholders who run to court when faced with investment losses may not know or care.
SEC disclosures will become an easily searchable “wall of shame” for public companies. The new rules require these cybersecurity incident disclosures to be coded as Item 1.05 disclosures. These disclosures, as well as the wall of shame of her HIPAA regulated entity violations that affected at least 500 individuals, provide an easy source for plaintiff's bar courts to identify potential lawsuits. Probably. RSS feed of new filings assists plaintiffs' attorneys.
Companies will need to disclose more detailed information about their cybersecurity programs that can be second-guessed if an incident occurs.. In addition to cybersecurity incident notification requirements, the rule requires companies to disclose additional information about their approach to assessing, identifying, and managing cybersecurity risks (unless this is something that companies have already extensively described). ), those details pose risks. When a company's processes are under pressure due to a cyber attack, they take a backseat.
Publicly traded companies serving highly regulated enterprises will face new tensions regarding their direct security incident reporting obligations. Additionally, the SEC's new rules impact the delicate balance between organizations in highly regulated industries such as healthcare and financial services and their vendors, many of whom are publicly traded companies. Under current federal law, vendor usually report to regulated real thingand the regulated real thing after that make public News. The same generally applies to state violation notification laws. usually I need The entity that holds the personally identifiable information that it does not own or has a license to notify the entity that owns the data controls notification decisions.
New SEC rules call this approach into question. Currently, vendors may have their own breach notification obligations if they are publicly traded. If a publicly traded vendor determines that a cybersecurity incident is material to its business and requires disclosure under the new SEC rules, it may not have reported it to its regulated entity/customer based on its state. may be effectively forced to disclose certain security incidents. or federal law (such as NYDFS regulations or his HIPAA). This requires careful legal counsel and evaluation.
Consider this in the context of HIPAA. Officials at a publicly traded company discovered evidence that a threat actor had accessed certain files on a cloud server that stored client data. The counterparty conducts a quick investigation, reflexively determines that the access constitutes a material impact (e.g., because the threat actor may have been able to access other files), and discloses it under SEC rules. Masu. If a HIPAA-regulated entity stores HIPAA-regulated protected health information on its servers, a counterparty's determination of what the evidence or work product will show is subject to the covered entity's responsibility to reach its own conclusions. Will it effectively preclude it? And, if a different conclusion could be reached, does it create new legal risks? The reverse may also be true. The amended NYDFS Regulations require NYDFS regulated entities to notify NYDFS within 72 hours of a cybersecurity incident with a third-party service provider in certain circumstances. . Even if a company regulated by the NYDFS determines that a cybersecurity incident occurred at its publicly traded service provider and the company reports it to the NYDFS, the service provider determines that the incident is not material to the company. Can you do it?
This solution requires regulated entities and their publicly traded vendors to actively work together to agree on how security events will be handled at the vendor level. In this way, the allocation of powers to meet the reporting obligations of both parties can be (hopefully) agreed in advance without upsetting the delicate balance.