TheCorporateCounsel.net

At this year’s Securities Regulation Institute, I served as a moderator for a panel that focused on three areas of SEC rulemaking – the cybersecurity rule proposal, the share repurchase rule proposal and the new Rule 10b5-1 and insider trading disclosure rules. In talking about how to get ready for the adoption of the proposed cybersecurity disclosure rules – which the SEC has said could occur between now and April of this year – there are a number of things that companies can do now in anticipation of the new rules. Here is my list:

1. The SEC’s cybersecurity proposals are somewhat unique in that at least part of the proposed rules contemplate codifying existing interpretive guidance regarding real-time Form 8-K reporting of material cybersecurity incidents, so many companies often have a process already in place as part of their disclosure controls and procedures for escalating cybersecurity incidents within the organization so that disclosure decisions can be made.

2. As a result, companies can now look at those controls and procedures and evaluate how they might change when the SEC adopts the proposed rules. For example, companies often are focused on disclosure of single-time material cybersecurity events, while the final rules may require disclosure about a series of previously undisclosed individually immaterial cybersecurity incidents that become material in the aggregate.

3. An important tool for being able to make rapid judgments about whether a Form 8-K must be filed to disclose a material cybersecurity event is having a framework in place for how materiality will be evaluated, so companies should consider establishing that framework if they have not already done so. When significant cybersecurity events occur, they often do not neatly fit into specific categories and the ultimate impact of the events may be very hard to judge, so the framework is a way of articulating the specific factors that management will use when making the materiality determination.

4. It is also important to integrate the disclosures controls and procedures for disclosing material cybersecurity incidents with the company’s overall incident response plan, so that processes do not get “siloed” which could result in incidents being missed.

5. It is possible to work now on developing a workplan to obtain the information that will need to be disclosed in periodic reports.

6. With respect to governance and risk management around cybersecurity, it is not too early before the rules are adopted to consider potential changes to these matters. In many ways, the SEC’s disclosure rules around these topics seem to articulate expectations that the SEC has about the governance approach.

7. When working on a policy for escalating cybersecurity incidents for disclosure purposes, it is also appropriate to consider developing a policy for when cybersecurity incidents should be escalated to the board or a committee of the board, even when those cybersecurity incidents may not ultimately need to be disclosed in SEC filings.

8. It is not too early to think about disclosure regarding cybersecurity expertise and what current and potential board members bring to the board on this particular topic, so that the company can provide the disclosure that may be required by the new rules.

9. These rules will require a great deal of cooperation among different departments and individuals within the organization, so now is a good time to establish or strengthen those relationships.

– Dave Lynn