The SEC’s Cyber Reporting Regulations: How Will They Work?

The US Securities and Exchange Commission (SEC) announced on July 26, 2023, that all public companies reporting under its regulations must now report any material cyber incidents within four business days of the identification of the incident by issuing a Form 8-K. The topic of cyber incident reporting is very timely and appropriate as many companies now consider cyber incidents and information security among their highest risks. The exponential growth in the use of artificial intelligence has some highly beneficial applications but it will also give cyber criminals a new range of tools so the number and sophistication of cyberattacks are set to increase.

Cyber risks are unlike other risks. Most other risks, such as financial or physical risks, may well be highly catastrophic but their cause, source, and damage are usually clearly identifiable in a short time frame. Cyber risk is different; a company can experience a cyber incident but may not know who caused it, why, the full damage, or how long it has been active.

In view of this, the new SEC regulations may cause some difficulties for companies who need to report a cyber incident. Consider the following:

1. The average time it took to identify an incident according to International Business Machines Corp.’s 2022 data was 280 days, or nearly 9 months. Some incidents, such as those involving ransomware, are obviously identifiable very quickly. However, more sophisticated and insidious malware copies or corrupts data and systems, and adapts to the defenders’ attempts to resist it. This is known as an advanced persistent threat, defined in Appendix B of the National Institute of Standards and Technology’s Guide for Conducting Risk Assessments as “an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives which are typically to establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.” For these types of cyberattacks, it would be difficult, if not impossible, to meet the SEC’s four business day deadline and report sufficient information about the incident.
2. What is meant by “identification” of an incident? The more advanced cyber intrusions can come in three stages: similar to physical missiles, they have a delivery mechanism, a payload, and the execution. Expert decoders may be able to identify an intrusion, even a highly sophisticated one that plants a rootkit deep in the system, but may not immediately, or for a considerable time, be able to understand what the payload is. What is the virus or worm supposed to do once it finds its way into the system and how does it release its payload? A zero-day exploit, in which cybercriminals attack using a vulnerability or flaw in the target’s software or technology, makes it even more difficult to decipher what the payload is or what damage it has been designed to cause. Some viruses are very sophisticated and send out a decoy for the decoders to “find” and stop looking for the real payload that has yet to activate. Again, how would a reporting company comply with the SEC’s requirements if all it could report was an incident, without knowing what damage it was supposed to do, when, to whom, how much, and for how long?

How Would a Reporting Company Comply?

If a reporting company finds out that it has an intrusion that has been in its systems and networks, it has a lot to do in those required four business days. The company must still file its 8-K explaining what it knows and, just as importantly, what it might not know as well as how the intrusion was eventually found. The SEC will permit a delay in the 8-K filing if the US Attorney General determines that releasing the information could endanger national security or public safety. There are sure to be some gray areas here in assessing what is material and how business damage could be assessed, especially if the company has learned very little about the incident in those four days. What may not have been considered immaterial when the incident was first discovered may subsequently become material as more is learned about it. The lack of knowledge and the implications of the incident could affect market pricing as investors speculate.

Hopefully, the SEC will understand these situations and distinguish between a fairly straightforward ransom demand and an advanced persistent threat, and not penalize a company that is working in good faith to comply but that has not been able to provide details, how far a virus has spread, and whether it can be eradicated or at least contained in those four days following the identification of the incident.

In situations where the knowledge of the intrusion takes time to discover, the company should update its 8-K filings with material information as it is discovered. Some viruses can self-replicate and reinfect even after they have apparently been eliminated. One of the golden rules of crisis management is not to overpromise or state something that has not yet been determined. Once a virus has been identified, it is difficult to prove that it has been totally eliminated.

The suggestion with reporting on cyber incidents is to update filings frequently but be careful about stating that the problem is solved, concluded, or even contained.

No doubt, now that the regulations have been finally adopted, there will be a significant number of 8-Ks filed and the SEC may be able to offer further guidance on the reporting issues, especially those related to advanced persistent threats, timing, and materiality.