Last month, the Securities and Exchange Commission (SEC) reemphasized just how serious companies must be about maintaining a vigilant cybersecurity posture and procedures to report cyber incidents in a timely manner.

On May 22, the SEC announced that Intercontinental Exchange (ICE) agreed to pay a $10 million settlement in connection with its handling of a 2021 cyber intrusion into its virtual private network. ICE’s legal team originally believed that the intrusion fell under a reporting exemption for de minimis events. However, the SEC said such a de minimis exemption is only available when a de minimis determination is possible within 24 hours of incident discovery. Since ICE’s security staff changed its perceived severity of the incident several times prior to making the final determination a few days after the occurrence, the event did not qualify for the de minimis exemption. This means ICE should have disclosed it to the SEC. According to the SEC, ICE caused its nine wholly owned subsidiaries, including the New York Stock Exchange, to fail to promptly inform the SEC of a cyber incident as required under SEC’s rules.

Last year, our client alert covered how SEC disclosure rules require companies to report cybersecurity incidents. This settlement is an important reminder of how critical developing a strong incident response plan before an actual incident is to ensuring compliance with reporting obligations. Incident response plans should require board member oversight and proactive communication with legal and information technology functions to fulfill corporate governance obligations. The settlement, along with recent comments from the director of the SEC’s Division of Corporation Finance, provides some insight into when a "material breach" must be disclosed.

Takeaways for Companies on Cyber Incident Reporting

The new SEC rule requires reporting companies and certain foreign private companies to determine whether a cybersecurity breach meets the materiality threshold and to:

• Disclose material cybersecurity incident within four business days from a determination of materiality through a Form 8-K filing.
• Describe the company’s processes for assessing, identifying, and managing cybersecurity risks and threats in its Form 10-K filing.
• Describe the board of directors’ oversight and management’s implementation of cybersecurity risks and incidents in its Form 10-K filing.

While the ICE settlement falls under a different SEC rule — the Systems Compliance and Integrity regulation (Reg SCI) — it emphasizes how the SEC is zeroing in on cyber incident reporting expectations.

At the core of the $10 million settlement was ICE’s prolonged assessment of the cyber intrusion impacts and then its report to the SEC in accordance with applicable rules.

Given the steep fine, companies should take several steps to limit unnecessary risks, including specifying the role of the person who oversees cyber decisions as well as training employees on data security and how the company measures the strength of its cyber programs.

Importantly, companies need to consider the reporting chain of command and process ahead of a cyber incident to streamline the determination process in order to make necessary disclosures within the four-day period. The incident response plan needs to outline clear processes and criteria for assessing the materiality of a cyber incident and whether disclosure obligations are triggered. The company’s board of directors should review the company’s cyber readiness on a regular cadence — at least on a yearly basis.

Reporting Incidents That Are Not 'Material'

Last year’s final SEC rule focused on companies reporting material incidents. The SEC considers an incident material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available. The director of the SEC’s Division of Corporation Finance provided recent informal guidance on the reporting mechanics for incidents that a company has not yet deemed material.

"If a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination," Director Erik Gerding said in a May 21 statement. "That Form 8-K may refer to the earlier Item 8.01 Form 8-K, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05."

Gerding further stressed that Item 1.05 of Form 8-K should only be used for material incident disclosures given the risk of investor confusion if both immaterial and material events are disclosed in Item 1.05. "It could be confusing for investors if companies disclose[d] either immaterial cybersecurity incidents . . . under Item 1.05 [of Form 8-K]," Gerding said. In other words, companies can disclose immaterial cyber incidents, but should only do so in a way that allows investors to easily distinguish between a material and an immaterial incident.

After a final SEC rule that left companies guessing about material cyber incident disclosures, the recent informal guidance has provided additional details on the reporting mechanics of immaterial cyber incidents. This choice indicates that companies may be wise to take a preemptive approach by reporting immaterial cyber incidents.

[View source.]