Not that long ago, financial sector regulations seldom mentioned cybersecurity expressly, instead addressing the issue indirectly through restrictions focused on general system safeguards and omnibus reporting requirements. Gone are those days. Over the past few years, federal and state regulators have increased focus on information security issues impacting financial institutions, introducing a spate of cyber rules that often include stringent regulatory reporting and disclosure requirements. This year was no different.
In the last twelve months, the Securities and Exchange Commission (“SEC”) finalized rules requiring public companies to disclose material cybersecurity incidents and proposed amendments to Regulation S-P as well as sweeping new cyber requirements for various regulated entities. Meanwhile, the Federal Trade Commission (“FTC”) approved amendments to its version of the Safeguards Rule to require non-banking financial institutions to report certain data breaches and other security events directly to the agency. And not to be outdone, the New York State Department of Financial Services (“NYDFS”)—one of the nation’s leading cyber watchdogs—closed out the year by expanding its groundbreaking requirements for cybersecurity incident reporting, safeguards, and governance. For many firms, complying with these new requirements—as well as additional new cyber rules expected soon—will require substantial effort in 2024, including updating written policies, honing incident response capabilities to rapidly notify regulators of a reportable cybersecurity incident, and redefining governance procedures.
The SEC Establishes Itself as a Chief Cyber Regulator
In April 2022, SEC Chair Gary Gensler addressed cybersecurity before a joint meeting of the Financial and Banking Information Infrastructure Committee (“FBIIC”) and the Financial Services Sector Coordinating Council (“FSSCC”). He echoed remarks previously made by Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (“CISA”), that cybersecurity is a “team sport” in which everyone—private actors, investors, and government entities—must actively participate. Though Chair Gensler (then) conceded that CISA and the FBI “captain” so-called “Team Cyber,” he stressed that “the SEC has an important role to play as well.” The agency, which before July had not promulgated a binding cybersecurity rule since the adoption of Reg S-P in 2000, showcased that “important role” this year.
New Cybersecurity Disclosure Rules for Public Companies
As we previously covered, the SEC finalized rules in July that require public companies to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategy, and governance.
Reports on Form 8-K about Material Cybersecurity Incidents (starting December 18, 2023)
The rules notably create a new obligation for entities to disclose material cyber incidents on Form 8-K within four businesses days from the date on which the incident is determined to be “material.” A materiality determination must, in turn, be made “as soon as reasonably practicable after the discovery of an incident,” and companies must disclose the criteria by which they determine materiality in their annual reports.
The enacting release states that the materiality determination should be made using the same standard that generally applies under federal securities law—i.e., information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if it would “have significantly altered the ‘total mix’ of information made available” to the investor. However, this assessment is not simple in practice, particularly during the often-chaotic early days of a cyber attack when an incident is still unfolding and its full impact remains unclear. When determining materiality, firms must consider various elements. During the rulemaking process, some commentators suggested that this assessment ought to be a strictly quantitative one, but the release highlights a number of qualitative factors that the SEC views as important (and not necessarily readily quantifiable), including incidents in the aggregate, the impact of an incident on stock price, costs of remediation, reputational harm, and actual theft of information.
In terms of disclosure, though the SEC does not expect the provision of specific, technical information about a breach (unnecessary details that might expose a company to additional risk from threat actors), New Item 1.05 of Form 8-K does require the following information about a material cyber incident:
- When the incident was discovered;
- Whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the firm’s operations; and
- Whether the firm has remediated or is currently remediating the incident.
Companies also have a duty to update Form 8-K to the extent new information about an incident becomes available after filing. Importantly, the rules do not allow companies to delay disclosure in order to mitigate the risk of ongoing or additional cybersecurity incidents nor do they include an omnibus law enforcement exception related to ongoing investigations. A company may, however, delay notification for up to thirty days only if the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety and so notifies the SEC of this determination. As a practical matter, we expect that it will be difficult for most companies to take advantage of this exception outside the scope of a significant national security event.
Annual Reports on Form 10-K about Cyber Risk Management, Strategy, and Governance (for the fiscal years ending on or after December 15, 2023)
Additionally, the rules require annual reports on Form 10-K regarding (1) the firm’s processes for assessing, identifying, and managing material risks from cyber threats (in sufficient detail for a reasonable investor to understand) and (2) the role of management and the board in cyber governance, including management’s role in assessing and managing cyber risks and directors’ oversight of such risks.
In providing disclosures about processes for assessing and managing material cyber risks, a company should address (as applicable):
- Whether and how any such processes have been integrated into the firm’s overall risk management system or processes;
- Whether the firm engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the firm has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
This requirement is pared back from what was included in the proposing release, which would have required disclosure of whether the firm undertook activities to prevent, detect, and minimize the effects of cybersecurity and had established business continuity and recovery plans. Importantly, companies will still need to consider how they describe their processes to avoid giving bad actors a roadmap to potential vulnerabilities in information systems.
In terms of governance-related disclosures, the SEC ultimately concluded it would not implement the proposed requirement to describe board members’ cybersecurity expertise. The agency noted that, after reviewing comments on the issue, it concluded that it is the management team that primarily manages eﬀective cybersecurity processes, and boards with varied risk management and strategic skills can properly oversee these eﬀorts without necessitating speciﬁc technical expertise.
A Battery of Proposed Cybersecurity Amendments and Rules
The SEC also issued a series of new cybersecurity proposals, delivered seriatim in March 2023, regarding (1) amending Reg S-P (covered here), (2) expanding Regulation Systems Compliance and Integrity (“Regulation SCI”), and (3) implementing cybersecurity risk management requirements for various entities, including broker-dealers and transfer agents, to address their information security risks.
If adopted, the Reg S-P amendments would require broker-dealers, registered investment companies (with business development companies, “registered funds”) and investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days. The Reg S-P proposals are, of course, in addition to the other pending cyber rules introduced in March, as well as the SEC’s separate proposed risk management regulations for investment advisers and funds advanced in 2022 that are described in this Ropes & Gray Alert. In fact, the SEC re-opened the comment period for the 2022 investment advisers and funds proposals, which were expected to be finalized last October and will likely be adopted sometime in 2024.
A “Vigilant” Approach to Cybersecurity Enforcement
On top of its fevered cyber rulemaking, the SEC prioritized cybersecurity enforcement in 2023 and will continue to do so in the coming months and years. In November, the SEC announced its Enforcement Results for Fiscal Year 2023, which stated that the Division of Enforcement “has been vigilant in ensuring that market participants reasonably disclose material cybersecurity risks and incidents.”
Additionally, in surprising move this October, the SEC filed a landmark cybersecurity enforcement action against SolarWinds and its Chief Information Security Officer (“CISO”). The enforcement action is one of many firsts for the SEC: the agency’s first attempt to bring scienter fraud charges related to allegations about a public company’s cyber disclosures; its first litigated enforcement action involving the same; and its first cyber lawsuit against an individual.
The FTC Implements New Breach Reporting Obligations and Continues to Scrutinize Use of Tracking Technologies
In October, the FTC, which has recently actively enforced its Safeguards Rule, adopted amendments to the regulation to require non-banking financial institutions—e.g., mortgage brokers, financial planners, credit counselors, tax preparers, auto dealers, and financial technology companies—to report information about a notifiable security event affecting the unencrypted data of 500 or more customers “as soon as possible,” and within 30 days at most.
This new rule will likely lead to increased exposure for institutions that experience security incidents, as the FTC has indicated that it intends to “enter notification event reports into a publicly available database.” The rule also highlights the growing tension between financial regulators’ desire to increase its understanding and oversight of cybersecurity threats and the rapid proliferation of onerous reporting regulations for companies victimized by cyber attacks.
A “notification event” under the amended rule is notably broader than the definition of “security event” in the FTC’s proposal. This new definition means that regulated firms must comply with the rule’s obligations with respect to unauthorized disclosures of data in addition to data breaches, which is consistent with how the agency has interpreted the Health Breach Notification Rule (“HBNR”).
Additionally, in July 2023, the FTC, along with the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”), sent letters to approximately 130 hospital systems and telehealth providers intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. As we previously discussed, those entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the FTC Act, and HBNR.
NYDFS Updates its Stringent Cybersecurity Regulations
The SEC, FTC, and other federal financial regulators have been joined by state agencies in recognizing the tangible threats that cybersecurity failures pose to financial investors and markets. Through its detailed and prescriptive cybersecurity rules that came into effect in February 2018, NYDFS has asserted itself as a leading regulator in this space.
As discussed here, NYDFS amended its Part 500 Cybersecurity Regulations for state-licensed financial institutions in November. The amendments reflect the first significant change to the regulations since their inception and incorporate new information security compliance obligations for regulated entities—institutions operating under or required to obtain a license or similar authorization under New York’s insurance law, banking law, or financial services law. The rules accordingly apply to health insurance companies operating in New York, as well as entities that sell annuities or other insurance products if such institutions receive a license from NYDFS.
Perhaps most notably, the amendments expand on the agency’s 72-hour cybersecurity event reporting obligation by incorporating a new 24-hour notification requirement for entities that make extortion payments. In addition, all regulated entities will need to comply with extensive new cybersecurity governance obligations. An institution’s “senior governing body”—a board of directors, board committee, or equivalent governing body—must oversee the firm’s cybersecurity risk management and approve written policies for the protection of the entity’s information systems and data stored on those systems at least annually. Importantly, the senior governing body must have a “sufficient understanding of cybersecurity-related matters” and provide sufficient resources for managing the cybersecurity program.
Further, under the amended regulations, a CISO must provide to the senior governing body annual written reports that include plans for remediating “material inadequacies” in the cybersecurity program. The CISO must also “timely report” to the senior governing body material cyber issues, such as significant cybersecurity events and important changes to the cybersecurity program. It appears NYDFS, like the SEC, is increasing focus on individual accountability for CISOs and may also begin enforcement actions in this area as well.
Looking Ahead to 2024
For many firms, preparing to comply with these regulations will require significant effort in the coming weeks and months, including refining incident response capabilities so that companies can make an expediated public disclosure or regulatory notification about a cyber event. To that end, some initial compliance considerations should include:
- Reviewing the firm’s cyber incident response plan, and integrated legal and communications plans, to ensure inclusion of proper response, notification, and escalation procedures for all applicable rules. In particular, public companies should consider whether they have procedures in place that enable them to quickly (1) make a materiality assessment/disclosure decision and (2) convey something intelligible and accurate in a Form 8-K report;
- Creating and maintaining relationships with cybersecurity response specialists including forensic firms, attorneys, public relations, investor relations, cybersecurity
insurance, and relevant law enforcement;
- Undertaking and/or updating an inventory of systems and data;
- Continuing to evaluate and document board and committee oversight of cyber risks
and management’s role in handling such risks; and
- Elevating third party risk management—even “internal” data often flows across the networks of several third parties, managed service providers, and cloud computing companies.