Publicly traded companies are adjusting their cybersecurity posture in response to a financial sector regulatory update that casts general counsels in a crucial role when responding to data breaches and other system attacks.

A Securities and Exchange Commission final rule effective in September will require such businesses to soon start reporting system breaches to the agency within four days of them determining an incident may have a material impact on the company. The rule, which amends two federal regulations, requires publicly disclosing incidents many of the government’s other 51 existing and pending federal reporting rules don’t. It arrives as the federal government works to synchronize cyber standards and processes.

But a key mandate of the regulator’s final rule—ascertaining the “materiality” of a hack’s impact—still has gray areas, and in-house lawyers must prepare for dealing with the issue before the first reporting deadlines in December, said Erez Liebermann, a partner at Debevoise & Plimpton LLP.

Complying with the new disclosure requirements may lead in-house counsel to be more proactive in their cybersecurity incident planning, and companies may need to collect more data for materiality analysis and bolster interdepartmental communications, Liebermann said. “It’s extremely important for companies to have a plan in place as to how incidents that rise to the level of potential materiality get escalated from the incident response team to the chief information security officer and to the legal and business and compliance teams,” he added.

“Those are the groups that are typically going to sit around the table and decide on materiality,” Liebermann said. General counsel of regulated companies will need to account for public fallout when reporting a breach to avoid incurring legal liability or reputational loss, said Andrew Serwin, chair of DLA Piper’s privacy and data security practice. New SEC requirements include a yearly disclosure about how each company manages its cyber-threat risk landscape, and another annual report describing the company’s level of security oversight. Most public companies with a fiscal year ending on or after Dec. 15 will have to make form 8-K incident disclosures in annual reports this year. Businesses that qualify as “smaller reporting companies” under federal regulations will have until June 15, 2024, to comply with the requirement.

Deciding What’s ‘Material’

In-house counsel should consider creating or amending their company’s incident response plan to account for the new SEC regulations, because having one eliminates guess work when dealing with the aftermath of a hack, Serwin, the DLA Piper partner, notes. Some companies appear to have already taken heed of the SEC requirements before they take effect, including cleaning-products manufacturer Clorox, which has filed two 8-K form disclosures describing in detail a hack it suffered in August. Clorox’s sequential filings illustrate the unfamiliarity companies have in determining the materiality of a cyberattack, said Nick Sanna, president and founder of the FAIR Institute, which promotes managing information security risk via its quantitative analysis framework.

Ascertaining whether a cybersecurity breach will have material effects on a given company can be challenging given how little is typically known about hackers’ level of access to a system in the initial hours and days following an attack, said Sanna, who is also President of cyber risk management firm Safe Security.

“The SEC has been very prudent in making sure they don’t require too many technical details, to not give the threat actors an advantage,” he said. One way some companies are adapting to the regulation is by establishing a regimen for escalating incidents, so that information technology or security teams know when to flag a breach to other departments and higher-ups involved in determining materiality. Businesses may retrain existing staff or bring in new compliance managers to create that kind of funnel system, depending on the volume of attacks they face, said Serwin.

The SEC’s final rule enacted in September gives companies a deadline of four days after determining materiality of a cyberattack to report it to the SEC. But how much time is acceptable to determine whether a hack was material remains a key question—and the answer most likely will be “enforcement driven,” he said.

In-House Liability Concerns

Serwin posited that the requirement to describe cybersecurity governance—including the level of oversight afforded to executives and board members—could expose companies to new liabilities. Joseph Sullivan, Uber’s former Chief Security Officer is the most high-profile example so far of a C-suite executive facing legal consequences related to a hack. Sullivan was criminally convicted in October 2022 for withholding information from federal investigators about a massive 2016 data breach at the ride-hailing company and was sentenced in March to three years probation.

The SEC is currently investigating SolarWinds Corporation after it suffered a hack that led to a high-profile malware attack affecting major companies, organizations, and federal agencies. The regulator sent the company’s chief financial and information security officers notices of possible enforcement actions—known as “Wells notices”—in June.

While the SEC rules don’t stipulate a duty of care related to a company’s defenses, many state-level laws are more prescriptive about cybersecurity practices. This includes the law in Delaware, home to nearly 70% of all Fortune 500 companies. Delaware law’s intersection with increased transparency driven by the SEC could expose higher-ups to more derivative investor lawsuits or consumer class actions, Serwin comments.

Greg Varallo, a plaintiff’s attorney who leads Bernstein Litowitz Berger & Grossmann LLP’s Delaware branch, said his office hasn’t focused on whether to bring any cases to that effect, but that they’d be “looking at it” over the next several months. “While the SEC can’t dictate Delaware state law to Delaware directors, one could imagine a scenario where the Delaware courts would say, ‘Well, if the SEC is asking you to disclose this, what do you mean you don’t have a system for monitoring cybersecurity risks?’” Varallo said. Though no new fiduciary duties arise out of the agency’s most recent regulation changes, he said they appear designed to push legal developments toward a finding that public companies need strong cybersecurity programs.

One precaution Liebermann said he’s working on with clients is creating plans for a detailed log of the decision-making process in the first hours following a breach should the company decide not to report it to the SEC, in order to mitigate any later questioning of the analysis. “The reality is, the fuse is shortened on these issues more quickly than organizations have continued to plan for,” said Luke Tenery, a partner at compliance advisory firm StoneTurn Group LLP who advises public companies. The SEC’s heightened reporting and disclosure obligations “highlights the need for even more precise and knowledgeable preparedness before these things occur.”