On July 26, 2023, the Securities and Exchange Commission (SEC) produced a final rule that strengthened and standardized the agency’s requirements for companies regarding disclosures of “cybersecurity risk management, strategy, governance, and incidents.” The SEC issued guidance regarding cybersecurity risk in 2011 and again in 2018. However, this final rule establishes new requirements regarding disclosures companies must make in their public SEC filings.
The final rule and its new requirements became effective 30 days after publication, and filers other than small reporting companies were to begin complying on December 18, 2023. Small reporting companies must comply with the new requirements by June 15, 2024. Keep reading for more from our cybersecurity fraud attorney.
Why the new law?
In the modern business world, cyber-threats and data security are big business—and come with significant liabilities for failures and misrepresentations. A wise investor would want to know whether a company that does business on the internet is appropriately securing itself against the risks that come with a data breach, whether it is of customer’s personal information, patient healthcare information, or state secrets provided to government contractors that present national security risks.
The final rule requires disclosure of a “material cybersecurity incident” on an SEC Form 8-K within four business days of the incident being discovered or deemed “material.” The only exception to this requirement is if the “U.S. Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.”
Secondly, in their annual SEC Form 10-K, public companies are required to disclose information regarding (1) cybersecurity risk management and strategy, (2) management’s role in assessing and managing material risks from cybersecurity threats, and( 3) the board of directors’ oversight of cybersecurity risks. These requirements apply to any identity that files with the SEC.
These new requirements make it an explicit duty for a company to report how it handles cyber risks to the SEC and the investing public. To that end, the meaning of “material cybersecurity incident” will be the key to determining what and when to disclose a data breach.
Previously, the SEC has answered that question by stating, “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information available. Doubts about the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors.” See TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011); 17 CFR 230.405 (Securities Act Rule 405); and 17 CFR 240.12b-2 (Exchange Act Rule 12b-2).
The final SEC rule and the False Claims Act
Cybersecurity and protecting private data are quickly evolving and essential areas. The days of cavalier adherence to data protection and cybersecurity regulations are long gone. This new SEC rule, which, as noted above, applies to all filers, comes on the heels of the U.S. Department of Justice (DOJ) issuing its own Civil Cyber-Fraud Initiative in late 2021, which applies to companies doing business with the federal government. Under the DOJ’s initiative, the agency’s Civil Division Commercial Litigation Branch, Fraud Section leads the initiative.
The primary tool DOJ will use to enforce its Civil Cyber-Fraud initiative is—you guessed it—the federal False Claims Act. Companies that knowingly provide deficient cybersecurity products or services, intentionally misrepresent cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches will be in the cross hairs and face liability under the FCA.
Whistleblowers and the new SEC rule
Whistleblowers will continue to play a critical role in FCA and SEC cybersecurity enforcement cases. Internal company whistleblowers are uniquely informed about their employers’ behavior and compliance with cybersecurity laws and regulations. Covering up a data breach or failing to institute internal protocols that protect data are actionable under the FCA if federal funds are involved. Under the SEC Whistleblower Program, failure to disclose that a data breach occurred, regardless of internal protocols, would be potentially actionable once the new regulation is active.
Helping whistleblowers hold contractors accountable
Bracker & Marcus partner Julie Bracker is at the forefront of developing this area of law, serving as lead counsel in United States ex rel. Decker v. Pennsylvania State University, one of the first unsealed cases under the initiative, and several other sealed matters.
Ms. Bracker is speaking on cybersecurity enforcement through the FCA at the American Conference Institute’s False Claims and Qui Tam Enforcement conference in New York City on January 23-25, 2024, which she is also chairing. Ms. Bracker will also speak on the same topic at the ACI Cybersecurity Law and Compliance conference in Washington, D.C., on February 27-29, 2024.
If you know of a government contractor misrepresenting its cyber-compliance efforts, contact us for a free evaluation.