Above Board: Proposed Cybersecurity Disclosure and Reporting Requirements for U.S. Public Companies and Critical Infrastructure Entities

In this episode of the Above Board podcast, Morrison & Foerster partner and host Dave Lynn speaks with partners Alex Iftimie and Haima Marlier, who formerly served in senior counsel roles at the U.S. DOJ and SEC, respectively, on new initiatives to require disclosure and reporting of cybersecurity incidents against the backdrop of a heightened threat environment for cybersecurity risks. The discussion addresses the SEC’s recently proposed amendments to require real-time incident reporting and detailed disclosures regarding cybersecurity risk management, strategy, governance, as well as new legislation which will impose new cybersecurity incident reporting requirements for critical infrastructure entities.

Transcript

Speaker: Welcome to MoFo Perspectives, a podcast by Morrison & Foerster, where we share the perspectives of our clients, colleagues, subject matter experts, and lawyers.

Dave Lynn: Welcome to the Above Board podcast. I’m Dave Lynn, a partner at Morrison & Foerster, and I’m pleased to be joined today by two of my colleagues to discuss two important developments regarding cybersecurity, disclosure, and reporting. I’m joined by Alex Iftimie, me who’s co-chair of Morrison & Foerster’s Global Risk and Crisis Management group. And prior to joining Morrison & Foerster, Alex held multiple senior positions at the Department of Justice. I’m also joined by Haima Marlier, who’s co-chair of Morrison & Foerster’s Securities Litigation, Enforcement, and White Collar Defense group. And prior to joining Morrison & Foerster, Haima was senior trial counsel at the Securities and Exchange Commission. Today, we wanted to talk about some recent developments that boards of directors should be aware of regarding the reporting of cybersecurity incidents. This comes at a time when many companies are facing a particularly heightened threat environment for cybersecurity incidents. First off, the SEC recently proposed amendments to its rules to require a set of disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. This would reply broadly to public companies that report with the SEC. If the SEC adopted these amendments as proposed, how would that change the landscape for public company disclosure about cybersecurity incidents?

Haima Marlier: Thanks, Dave. This is Haima, I’ll take that one first. I read the SEC’s proposed rules concerning public companies’ cybersecurity disclosure as at a very high level solidifying existing cyber‑related guidance and enforcement, albeit with some important changes. So before the proposed rule came out, the SEC’s 2018 guidance urged public companies to inform investors regarding material cybersecurity risks, and it also counseled them to have bespoke cybersecurity disclosure policies and procedures that were tailored to the specific risks that those companies faced. Nothing has really changed in that regard. However, two things that I think are interesting and definitely merit discussion about the proposed rule is now companies have to disclose material cybersecurity incidents within four business days of a materiality determination. That’s very new. Previously, there was not a timetable down to the number of business days that a company had to disclose a material cybersecurity incident, although they certainly had an obligation to do so. The other thing that I think is interesting is the proposed rule, if adopted, would require public companies in their periodic SEC filings—so their 10 Qs and their 10 Ks—to also disclose cybersecurity incidents which standing alone might be immaterial, but in the aggregate could be material information that investors would need to know about.

Dave Lynn: Are there changes that companies should now consider in terms of their policies and their procedures around disclosure of cybersecurity incidents that would make sense to revisit in light of these proposed rules from the SEC?

Haima Marlier: Yes. I think this is a good time for companies to look at their policies and procedures. The proposed rule came out on March 9th, and it’s open for public comment until May 9th. So that gives companies a little breathing room now to digest what could be new requirements for them if the proposed rule were to be finalized. I think that, what we’re counseling clients is, right now, look at how your policies and procedures provide for escalation. By escalation, I mean, what is your process—your organization’s process—for ensuring that information about cybersecurity incidents moves out of the IT departments, away from the tech people, and goes up to legal departments and other committees that would have responsibility for disclosures. And that could go all the way up to your senior executives and your board. So now is a really good time to look at, do our processes empower our employees to escalate incidents as they happen?

Haima Marlier: Also, bear in mind that the new rule, if adopted, would require public companies to disclose immaterial cybersecurity incidents that in the aggregate could be considered to be material. So what that means as far as what we tell clients, is you also need a process whereby basic information about immaterial cybersecurity incidents is also periodically being escalated into the legal department so that the organization’s lawyers can consider whether that would need to be disclosed in a periodic SEC filing. Lastly, I would say if the proposed rule is adopted, organization’s policies and procedures will have to become disclosed to investors. So now with the real chance that these policies and procedures are going to go out there into the ether for investors to consider and shareholders to review, now’s a really good time to ensure that they’re buttoned up. Again, that they’re bespoke. By that I mean, it’s not some off-the-shelf policy. It is tailored to the risks that organization faces. And also that it really has an understandable and workable process for escalation.

Dave Lynn: Yeah, I think that’s a great point. And one of the interesting things about the proposal, in addition to the current reporting regarding incidents, the SEC contemplates rules that would basically require a lot of additional disclosure about the risk management and strategy that is being utilized to address cybersecurity risks. And the rule, as proposed, would include a number of specific examples that companies would have to consider addressing. The question that inevitably rises is should companies now revisit their approach to cybersecurity risk management, just in light of the possibility that a spotlight will be shined on that effort as a result of the rules, if they are ultimately adopted?

Haima Marlier: Absolutely. And I would say that nearly all of our clients have had robust cybersecurity policies and procedures. That part is not new. What would be new if this proposed rule is adopted is that it would require periodic disclosures of public companies’ cybersecurity risk management governance structures. That might be something for certain clients where the policies and procedures don’t necessarily have that precise level of detail that you’re talking about, Dave. You know, who owns what piece of this governance structure and what are they supposed to do when they are told that there’s an incident? For example, the proposed rule says that organizations must now delineate precisely who is responsible for cybersecurity governance and who is responsible for ensuring that programs are tailored to known risks. Of course, as we all know, from this space and from working on these incidents, the known risks can change.

Haima Marlier: And so the proposed rule also provides that they have to be reassessed periodically. So there’s a lot going on here that even the most bespoken, most tailored cybersecurity policies and procedures might just not have had this level of information that’s being contemplated by the proposed rule. Again, as I said before, there is some time. Comments aren’t due to come in until May 9th, and then—how the SEC’s process works is—they’ll consider all of those comments. And then they’ll write a final rule, which is voted on by the commissioners. So again, not a ton of time, but there is a little bit of cushion for organizations to work on some of these issues.

Dave Lynn: And one topic that’s particularly of concern in the boardroom is the SEC proposes to require disclosure of the cybersecurity expertise of members of the board of directors. And the question comes up, does this change the approach that companies should take when recruiting directors and considering the skillsets that should make up the board of directors?

Haima Marlier: Well, in my view, this clearly seems to be the SEC signaling to investors that, hey, now, when you look at board composition in all of the other things that you think about when you invest in a public company, you ought to also think about whether any of those folks that sit on the board have specific cybersecurity expertise and what is their expertise? That’s different. I know that when many of us buy stock in your big public companies, that’s not necessarily top of mind. So the SEC’s signal to investors is pretty strong and pretty interesting. I think this could change the approach that companies take to recruiting directors. Not because I don’t read the SEC’s proposed rule to impose any requirement on board of director cybersecurity expertise. That said the way that markets work is if you could invest in two similarly situated public companies in a sector, and one has one or two really strong board members with cybersecurity expertise on their board, that may end up becoming a more attractive company for investors. So I think this is a really interesting part of this proposed role, where the SEC is almost inserting itself into the discussion of what investors may wish to focus on when they invest in public companies, especially in light of where you started, Dave, which is that companies are facing cybersecurity attacks of increasing volume and also increasing diversity—different types of attacks.

Dave Lynn: Yes, this is definitely a proposal that we will continue to monitor and see how the public comment plays out and what the SEC ultimately decides to do. Interestingly enough, around the same time that the SEC was proposing these new rules, Congress was acting on its spending legislation and as part of that was a provision that dealt with new requirements for entities deemed to be critical infrastructure and they must now report cyber incidents and this is definitely an area of development that caught many people’s attention and so it’s interesting to see what exactly are those requirements and why are they so significant?

Alex Iftimie: Thanks, Dave, I’ll take the questions related to the new cyber incident legislation, and I’ll say that the timing of this legislation is notable. The legislation comes at a time when the Biden administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States and critical infrastructure in particular, and at a time when the administration has indicated that they’re aware of evolving intelligence that Russia may be exploring options for potential cyber-attacks. This legislation is also influenced by the attacks of 2021, including the solar winds compromise that affected government agencies and the private sector alike and ransomware attacks like the attack on colonial pipeline that disrupted gas distribution on the Eastern seaboard, and I think there is a general view that the U.S. government needs more visibility into attacks on the private sector as it crafts its own responses to disrupt this activity and to help protect the private sector.

Alex Iftimie: And so this legislation is notable because it really is the first time that Congress has issued a cyber-incident reporting requirement that has some broad based implications across the private sector. There are two key requirements in the legislation. One is that it requires critical infrastructure entities to report cyber incidents to the department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, that’s CISA, and it requires those critical infrastructure entities to report incidents within 72 hours of becoming aware of them, and second, the legislation requires critical infrastructure entities to report ransom payments that are made in response to ransomware attacks within 24 hours, and those reports are also required to be made to CISA.

Dave Lynn: And the law specifically refers to critical infrastructure entities. What does that mean in this context, who do these requirements apply to?

Alex Iftimie: That’s a great question, in particular, because I think a lot of private sector entities will look at their business and say, well, I’m not an electricity generator. I am not an oil pipeline. I’m not critical infrastructure, but the reality is that critical infrastructure is defined in this legislation is keyed off of 16 critical infrastructure sectors that are defined in presidential policy directive 21, and those are pretty broad. It includes what you would traditionally consider the core of critical infrastructure, but some of the sectors that are included in that critical infrastructure definition include financial services, food and agriculture, healthcare, information technology, in addition to, for example, the energy sector and the defense industrial base, and so there could be a pretty wide sweep with respect to the entities that are required to make reports. It will take some time to figure out exactly who these rules apply to because the legislation tasks CISA with coming up with regulations that will, will define essentially who are the covered entities that will have to make these reports, and they’re tasked with essentially taking those 16 critical infrastructure entities and within them identifying some criteria for which entities will be covered depending on whether the entity or an incident affecting that entity could impact national security, economic security, or public health and safety of the community.

Dave Lynn: Don’t some entities already have notification requirements that apply to them before this legislation was passed?

Alex Iftimie: That’s right. There are a number of, of requirements that exist from sector specific agencies, so the Transportation Security Administration and the Department of Energy and, and the Department of Treasury, and there are a number of requirements that exist to date. Part of what this legislation I think hopes to do. And what I think CISA hopes to do is to move toward a more unified reporting structure. Among other things, the bill would create a cyber-incident reporting council that is tasked with harmonizing the federal incident reporting requirements. Victims, they shouldn’t be focused on reporting the same incident to a number of different agencies, and I think a critical task for CISA is going to be to work with peer agencies, to develop hopefully a one stop shop for reporting to the federal government and to make that be CISA and how exactly they will do that, I think is something we will see in the regulations that they draft in the coming months.

Dave Lynn: What do you foresee as being the timing for these requirements to come into place and what would be the penalties if a company did not comply with these notification requirements?

Alex Iftimie: Sure. Well, let me take those questions in turn. So first is the timing. The bill gives CISA 24 months to publish its initial notice of proposed rulemaking and an additional 18 months for the notice to issue its final regulations. Now, I expect that CISA will look to draft these rules much more quickly and to get comments more quickly so that they can get to some final requirements sooner rather than later, but this is as many regulatory processes are, it’s going to be a laborious and time intensive process, and so I certainly don’t think we’ll see final rules by the end of this year though. Perhaps we’ll see some proposed rules sometime in 2022. With respect to penalties, what I would say is that there are a mix of carrots and sticks that are built into the legislation to essentially incentivize the private sector to comply with these notice obligations.

Alex Iftimie: That includes, for example, a subpoena requirement within the law that would allow CISA to issue subpoenas to companies that do not comply with their regulatory obligations if CISA becomes aware of the incident via other means, and one of the interesting things about this subpoena requirement is that any information that CISA receives pursuance to the subpoena, CISA can share with the department of justice and regulatory agencies for the purpose of initiating a regulatory enforcement or a criminal enforcement against the company that did not share the information initially as part of their affirmative obligation to do so. So, there is an incentive for companies to come forward and provide notice voluntarily because if they do so, the way in which the information that they report can be used by the U.S. government is significantly more constrained. There are liability protections and FOIA exemptions and protections for attorney-client privilege and limits on using these reports in adversarial proceedings or obtaining these kinds of reports in discovery, and so companies have an incentive to essentially provide the reports directly to CISA within the timeframe that they’re required to, to essentially avoid the possibility that this information will be used against them to their detriment, if they do not.

Dave Lynn: Well, these are certainly two very significant developments, and thank you both for taking the time to share your insights with us.

Speaker: Please make sure to subscribe to the MoFo Perspectives podcast so you don’t miss an episode. If you have any questions about what you heard today, or would like more information on this topic, please visit mofo.com/podcasts. Again, that’s MoFo, M-O-F-O.com/podcasts.