Many Companies Far From Ready for Fast-Approaching SEC Cybersecurity Deadline

Reporting cyber incidents within 4 days will require cooperation among third-party service providers that may not yet be prepared.

A new study shows public companies are making strides in bolstering their cybersecurity programs ahead of new federal rules effective in December. But the recent Deloitte survey of more than 1,300 executives also suggests many companies have a long way to go in updating policies and practices, particularly those involving communication with third-party service providers.

Once a company determines that a cyber breach is material, it will have just four business days to report the incident in an 8-K filed with the Securities and Exchange Commission (SEC). Many survey respondents are concerned about their ability to comply with this expedited reporting timeline when a third party is involved.

Only 11 percent of executives surveyed by Deloitte said they have controls and protocols in place with third parties. Another 23 percent said they are working on getting those controls and protocols in place. A larger percentage, 27.4 percent, said they have not yet completed evaluations of communication with third-party suppliers but are in the process.

Companies should conduct a due diligence review of their vendors’ and suppliers’ cybersecurity protocols, Shardul Desai, a partner at Holland & Knight, told Law.com last month.

The idea is to look for “any incident response or disclosure gaps that could hinder a company’s ability to assess the materiality of a cybersecurity incident” in a timely manner, he said.

Third-party organizations might be reluctant to share much—mindful of potential litigation to follow. But establishing ahead of time what kind of information could be shared quickly would go a long way in helping ensure the companies meet their requirements in making a determination of materiality, Desai added. A company then could file an 8-K and update the SEC later with subsequent filings.

The new form 8-K Item 1.05 will need to describe the scope, nature, and timing of a cyber incident, “as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations,” Dechert said in detailed analysis of the new rules.

So far, just 33.9 percent of the public company executives polled by Deloitte have evaluated communications with third-party service providers.

“Whether organizations are publicly traded or do business with public companies, clear communication from top leadership about cyber risk management expectations can help mitigate security risks within organizations themselves, but also with their broader supply chains and ecosystems,” Daniel Soo, a leader of Deloitte Risk & Financial Advisory, said in a statement.

Although companies currently are required to report material cybersecurity breaches, they’ve not faced the pressure of a four-day deadline. Companies need to determine whether an incident is material “without unreasonable delay,” one of those regulatory clauses just vague enough to cause trepidation among management teams.

George Gerchow, a faculty member for the Institute of Applied Network Security, said the majority of companies are unprepared, amounting to a potential nightmare for firms lacking a sound framework for managing data security. Few have run incident-response exercises leading to identification, disclosure, “and the plethora of inbound (communications) that will need to be triaged,” Gerchow said recently.

Also part of the SEC’s new cybersecurity rules is Regulation S-K Item 106. Companies must “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.”

They also must describe the board oversight of risks from cyber threats, and management’s “role and expertise” in assessing and managing material risks.

Such information will have to be included in their annual reports for fiscal years ending on or after December 15. Public companies will have to comply with the 8-K reporting rule as of December 18, while smaller companies won’t need to file Form 8-K disclosures until June 15 of next year.

Deloitte’s survey also found that nearly 65 percent of executives believe their public company will strengthen its cybersecurity programs, with over half of these executives also pushing their third parties to do the same. Of those companies, 17 percent have been preparing for at least six months, 19 percent for the last 6 to 12 months, and nearly 17 percent for more than a year.

The SEC proposed changes to its cybersecurity regulations over a year ago, saying a more consistent reporting regime will help companies and investors.

However, critics have warned the rules could provide fodder for shareholder lawsuits. Plaintiff’s attorneys could allege a company had more information about a breach than it actually disclosed or should have disclosed, for instance. Some are also concerned insurers might impose more stringent underwriting standards against such claims.



From: Corporate Counsel