![European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources](https://eaccny.com/wp-content/uploads/2020/06/eaccny-logo.png){kind=logo}
Under the Security and Exchange Commission’s (SEC) new cybersecurity disclosure regulations, public companies will be required to file an “Item 1.05 Material Cybersecurity Incidents” Form 8-K to report any material “cybersecurity incidents,” which are defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on
or conducted through a [company’s] information systems that jeopardizes the confidentiality, integrity or availability of a [company’s] information systems or any information residing therein.”
Accordingly, the SEC’s broad definition of a “cybersecurity incident” may implicate a wide range of cybersecurity attacks, and companies should consider updating their cybersecurity incident response plan (IRP) to ensure compliance officers, management, board members, and other key stakeholders are properly integrated into cybersecurity response efforts.
Cybersecurity Incident Response Plan
As background, cybersecurity IRP generally should address five key areas:
1. Preparation.
Companies need to implement technical and company security controls to prevent malicious cyberactivity from occurring and develop a formal, documented IRP to ensure
they are prepared to respond when a cyberattack occurs.
2. Detection.
Companies should develop processes to identify precursors to a cyber incident and indicators that a security compromise is occurring or has occurred. A company’s IRP needs
to account for the various means on how they can detect an incident, such as via automated detection capabilities (for example, antivirus software) or manual means (for example, vulnerability disclosure programs).
3. Analysis.
After a cybersecurity incident has been detected, companies need to analyze the incident’s nature and scope, including whether the incident is malicious and the potential level of resources needed for containment.
4. Containment.
How a company chooses to contain a cybersecurity incident will vary by the nature and scope of the incident itself, and a comprehensive containment strategy is essential to ensure a cyber incident does not continue to expand and create more harm, loss, and damage.
5. Recovery.
After a company contains an incident, it must then move to remove any sources or artifacts of malicious activity (for example, purging malware, disabling compromised credential) and restore networks and systems to their normal state of operability and functionality. Companies should also consider conducting a post-incident assessment or “lessons learned” review to evaluate their IRP capabilities.
Updating Cybersecurity Incident Response Plan in Light of SEC’s New Cybersecurity Regulations
Companies should review their cybersecurity IRP to identify the appropriate phases and mechanisms in which they need to internally report a cybersecurity incident to compliance officers, legal teams, management, and board members. This identification could be especially challenging for larger companies that have to address hundreds, if not thousands, of cyberattacks per month.
For example, companies may be subject to cyber incidents resulting from or otherwise related to: ransomware attacks deployed by state actors and criminal enterprise, a distributed denial-of-service attack, an attack executed from a website or webbased application, spoofing emails containing malicious file attachments or seeking to steal account credentials, and the loss or theft of an employee’s laptop or similar device.
Accordingly, companies that are subject to the new SEC cybersecurity regulations should consider updating the “analysis” phase of their IRP to expressly identify circumstances in which certain types of cybersecurity incidents need to be reported to compliance officers and legal teams so they can determine whether the incidents need to be further reported to C-Suite and board members or otherwise disclosed on a Form 8-K.
This “internal reporting” part of the IRP should identify the key stakeholders in the companies who need to be informed of the incident, and their “backup” if they are not available; address when and how often these stakeholders will be briefed on a incident; and list the communication methods (for example, email, telephone, in-person, out-of-band).
Assessing Materiality of Cybersecurity Incidents
At a minimum, the content of these internal reporting briefings needs to address factors that are key to determining whether a company’s SEC cybersecurity disclosure obligations have been implicated, such as the type of attack and its business interruption impact, whether the attack is local or involves a third-party vendor, the number of critical networks, services or devices impacted, the identity of the threat actor, any ransom demands, and the type of data compromised (for example, trade secrets,
proprietary information, sensitive personal data).
These are just some of the qualitative and quantitative factors that need to be analyzed in order for a company to assess the impact of a cybersecurity incident and whether it must be disclosed pursuant to the SEC’s cybersecurity regulations. Companies should develop guidelines, scorecards, or other tools for assessing materiality of cyber incidents in advance and should consider conducting “dry runs” with their technical teams and the key stakeholders.
New Cybersecurity Disclosures in Form 10-K
Starting with 2023 Form 10-Ks for calendar yearend companies, cybersecurity-related disclosures also will be required in companies’ annual reports on Form 10-K under a new “Item 1C. Cybersecurity.” Companies will be required to describe, among other things, their cybersecurity processes (including integration of such processes into the company’s overall risk management process, use of third parties, and processes to oversee risks from cybersecurity threats associated with their use of any third-party service providers), if and how any risks from cybersecurity threats have materially affected, or are reasonably likely to materially affect, the company, including its business strategy, results of operations or financial condition, and the board’s oversight of, and management’s role in, managing risks from cybersecurity threat (including management’s relevant expertise and processes for informing management and the board about cybersecurity risks and their management). Companies will want to ensure that their
public disclosures are backed up by their IRPs and practices and are consistent with board minutes and internal communications.
Compliments of Thompson Hine – a member of the EACCNY.