[author: Bradley Barth]
Corporate legal departments are scrambling to stay ahead of the latest developments around cyber incident disclosure rules and regulations.
In hopes of reducing panic and distress, a pair of legal experts are issuing a plea for common sense to both the U.S. federal government and private sector. The hope is that a “Goldilocks” balance can be struck, such that companies remain accountable and transparent, while not revealing too much, too soon, or becoming vilified.
Sam Singer, chief cyber counsel at Boeing, and Trâm Phi, general counsel at Databricks, recently expressed this viewpoint in a video interview previewing key topics that will be addressed at the American Conference Institute’s upcoming Cyber Law and Compliance conference, taking place Feb. 28-29 in Washington, D.C.
In some cases, Singer and Phi (both conference co-chairs) believe the fretting and hand wringing over federal cyber regulation may be unwarranted, as companies are panicking over questions that have already been largely answered – such as how to define the materiality of a particular incident.
On the other hand, there remain key disconnects between regulators and the companies they oversee – questions such as how to define critical infrastructure, or to what extent the victim of a cybercrime is culpable for its predicament.
“I think organizations are becoming more comfortable reporting,” said Singer. “And I think the government and information-sharing organizations are getting more of the operational information that they need.” However, there are still areas that could be improved, he noted.
One recent development that Singer and Phi agree has moved in the right direction is the SEC’s implementation of new rules surrounding cyber incident disclosure. These rules, which took effect in mid-December 2023, require publicly traded organizations to report the details and potential ramifications of any material cyber incident on Form 8-K within four days of determining that the event was of consequence. They also compel companies to report their risk management processes and the potential impact of cyber risks via their annual reports on Form 10-K.
Singer and Phi both opined that there’s really nothing new here that should send legal departments into a tizzy.
“Companies really are going to be able to leverage existing internal processes to meet [the] new compliance requirements,” said Phi, noting that nothing has fundamentally changed.
“…Before the rules went into effect, if a public company had a cybersecurity incident that had or was expected to have a material [impact], they would have had an obligation to disclose that in a Form 10-K or a form 10-Q. And they also had the option to disclose it on an 8-K.” The main difference now, she continued, is that the 8-K disclosure requirement “isn’t optional anymore. And so companies need to adjust their disclosure controls and procedures to account for the new timing requirements.”
“But really, at the end of the day, I agree it’s still a materiality test,” she added. And the definition of materiality has not changed.
“The standard for materiality is as old as the Securities Exchange Act, and developed over decades of federal case law,” said Singer. “The SEC has been very clear that they’re not, with this rule, changing that standard in any way. They’re simply imposing time, place and manner requirements [which are]… consistent with how you report other material incidents... So in that sense, I don’t see it as a substantive change in the reporting landscape. I don’t see it as a… conflicting reporting requirement. I see it as… clarifying what the law already says.”
But there are other aspects of cyber regulation enforcement that will need further clarification, according to Singer and Phi.
For starters, the SEC sent shockwaves through the cyber community when it leveled fraud charges against SolarWinds and its CISO Timothy Brown, alleging that the company defrauded investors by overstating SolarWinds’ cybersecurity practices and failing to disclose known risks.
“That’s pretty worrisome, with some expressing concerns about an overreach, and [it’s] something that many people are tracking very closely,” said Phi, who went on to list some key takeaways from the SEC complaint. For starters, “the security team has to really be very tightly aligned with the legal team” in order to “ensure that what needs to be disclosed will be.”
Moreover, the SEC isn’t just looking at your official filings. “If you look at the complaint, there are a lot of references in the charging document to statements on SolarWinds’ website, for instance. So it’s a reminder to public companies to ensure that they have appropriate support for all the public statements that they’re making, not just those in their SEC filings,” Phi continued.
Singer, meanwhile, identified the SolarWinds news as an instance where the public and private sectors could be more aligned in terms of factoring context into regulatory enforcement and liability – lest companies feel stigmatized and lose trust in the government.
“You would assume that an incident subject to a suit like this would have revealed a wildly unprepared organization that was burned by a low-rent cyberattack, as opposed to a highly sophisticated foreign intelligence campaign,” Singer said. “It’s worth… reminding that SolarWinds was attacked by one of the most advanced threat actors that the U.S. intelligence community is aware of.”
Likewise, further rules clarification will be necessary to help critical infrastructure providers properly comply with disclosure expectations set forth by the 2022 Cyber Incident Reporting for Critical Infrastructure Act, aka CIRCIA. (A Notice of Proposed Rulemaking for the act must be published by March 2024.) The good news, said Phi, is that in many cases “covered entities are going to be able to leverage their existing incident response processes, supplemented by whatever is going to be required with these new rules.”
Still, more work needs to be done. “I think the biggest question mark with this reporting regime is: What does ‘critical infrastructure’ mean?” said Singer. “The idea that being a critical infrastructure organization is now… a trigger for regulation is a new and challenging concept. And I still think that there’s going to be a lot of difficult questions to answer there, especially for IT organizations and technology companies whose services cut across every critical infrastructure sector. Managed service providers, consultants – where do they fit in?”
In the course of their joint interview, Singer and Phi also expressed their perspectives on possible future cyber legislation to address concerns surrounding artificial intelligence and supply chain security. Additionally, they also previewed some of the content they are most looking forward to at ACI’s Cyber Law and Compliance conference. For the Full interview and more on the conference visit www.AmericanConference.com/cyber-security-law
Interview quotes were edited for length and clarity, as needed.