Implementing the SEC’s Cybersecurity Disclosure Rules

Legal Ops professionals will be interested in this final post in the three-part blog from bytebacklaw.com on the U.S. Securities and Exchange Commission’s (SEC’s) final rules for cybersecurity disclosures.

The SEC acknowledges that materiality determinations require informed and deliberative processes, but states that a registrant should not delay determination of materiality solely when continued investigation is needed. If a cybersecurity incident is determined to be material, the clock to file an Item 1.05 Form 8-K with the SEC begins within four business days.

To help senior management make a materiality determination, the cybersecurity experts need to notify them of the known facts, the areas of uncertainty, and any items that remain unknown.

• Registrants should develop decision trees or playbooks providing examples of material and non-material cybersecurity incidents that can guide corporate leaders’ decision-making.
• Companies should have an escalation process and maintain activity/response logs including what steps are taken in response to each incident, as well as closure and the conclusion on whether or not a particular incident was material.

Registrants should identify events that will trigger secondary consequences or additional compliance requirements. It would be ironic if the legacy of the SEC’s four-day deadline turns out to be premature corporate disclosures followed by an influx of premature lawsuits.