Public companies and other market participating or influencing companies and their leaders should begin preparing to comply with enhanced cybersecurity risk management, disclosure, strategy, governance and incident reporting and response requirements of a Proposed Rule the Security and Exchange Commission (“SEC”) published in today’s (March 9, 2022) Federal Register.
Published on the heels of the SEC’s announcement of plans to hold public companies and their leaders accountable for lax cybersecurity risk management and disclosure, the SEC’s promotion of the Proposed Rule is one of a growing series of SEC and other federal agency initiatives ratcheting up responsibilities and legal liability risks of organizations and their executives in the face of growing cybersecurity threats. Aside from the added SEC requirements directly applicable to market participating or influencing companies, the protections intended to protect investors against undisclosed or improperly managed cyber-related risks to their investments also are likely to impact the cybersecurity practices of organizations that provide investments or investment related services with respect to employee benefit plans and the disclosures they provide.
In the face of these rising risks, public companies and their leaders should move promptly to conduct documented assessments of the adequacy of their existing cybersecurity safeguards, risk assessments and breach detection and response practices within the protective scope of attorney-client privilege as soon as possible considering the requirements of the Proposed Rule and other rapidly evolving rules, precedent and cyberthreats. Meanwhile, individuals and organizations wishing to comment on the Proposed Rule should submit their comments as soon as possible and no later than May 8, 2022, which is the last day of the 60-day comment period established in the Proposed Regulation.
Cybersecurity Risks & Responsibilities Of Companies & Their Leaders Rising
With cybersecurity threats and compliance concerns growing, the SEC is prioritizing cybersecurity investigation and enforcement against public companies and other market participants for lack cybersecurity governance, safeguards or disclosures. See e.g., SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations. Along announcing its commitment to hold market involved and impacting regulated entities accountable for failing to maintain and enforce appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, training and awareness, investor disclosures and other practices.
Beginning in 2019, the SEC strengthened its warnings to public companies and other market involved and influencing organizations and has begun more aggressively investigating and pursuing enforcement against companies that fail to fulfill their SEC cybersecurity obligations. As public companies and investor losses from data breaches, malware and other cybersecurity have continued, taken enforcement action against various public companies that experienced significant drops in stock value due to malware, data breach or other cybersecurity incidents. See here. For instance, in August, 2021, London-based educational publishing giant Pearson plc, agreed to pay $1 million to settle SEC charges that it had inadequate cybersecurity disclosure controls and procedures and made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion already had occurred. Also in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and falsely that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The SEC order further found that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach and that Pearson waited to inform investors about the breach until after contacted by the media. After the SEC issued an order that found Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder, without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.
Until recently, these cybersecurity enforcement actions focused primarily on entities. Last summer, however, the SEC announced that along with continuing its enforcement against public companies and other market involved and impacting companies for cybersecurity deficiencies, it now intends to purse enforcement against officers, directors or other leaders of companies that allow these deficiencies. Coincident with this announcement, the SEC made good on its promise to prosecute individual leaders by suing leaders of three companies accused of violating SEC cybersecurity controls, governance, and disclosure rules.. See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.
Newly Proposed SEC Cybersecurity Rule Clarifies Expectations, Facilitates Noncompliance Enforcement Against Public Companies & Leaders
The SEC publication of the Proposed Rule both reenforces its prior cybercompliance warnings and adds more teeth to the SEC’s efforts to monitor, investigate and enforce its rules against market involved and impacting regulated entities and their leaders that fail to fulfill their cybersecurity obligations.
The “clarifications” in the Proposed Rule define minimum expectations for public company management and disclosures to investors about their cyber risk management, strategy, and governance and requiring public companies to notify investors of material cybersecurity incidents very quickly.
Among other things, the Proposed Rule will require that public companies:
- Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within 4 business days after the registrant determines that it has experienced a material cybersecurity incident;
- Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and
- Amend Form 6-K to add “cybersecurity incidents” as a reporting topic.
The Proposed Rule also will require enhanced and standardized disclosure about public company cybersecurity risk management, strategy, and governance by:
- Adding Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to:
- Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and
- Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies; and
- Amending Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise including disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise; and
- Requiring public companies present the cybersecurity disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
Given the SEC’s announced cybersecurity priorities, most commentators expect the SEC to move promptly to implement the Proposed Rule after the comment period ends on May 8. If these expectations prove true, market participating and influencing entities and their leaders already at risk under preexisting enforcement priorities will have to move quickly to clean up their compliance and fulfill their new responsibilities.
Managing existing risks and meeting these new requirements will be complicated by the need or advisability for many of the impacted public companies and their leaders to consider and appropriately address longstanding and newly expanding SEC and other cybersecurity exposures and disclosures. Aside from meeting the particulars of the new requirements going forward, companies also should be prepared to address preexisting cybersecurity exposures under existing SEC and other laws, regulations and contracts.
In conducting these activities, organizations and their leaders should keep in mind that their SEC cybersecurity obligations and exposures include both SEC specific new and unresolved historical obligations as well as cybersecurity risks arising from other operational, contractual and regulatory sources.
Federal electronic crimes, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act (“FACTA”), the Internal Revenue Code, and a plethora of other federal and state laws long have required or made highly advisable that organizations and their leaders include appropriate cybersecurity governance, security, breach detection and response, disclosure and mitigation obligations in their Federal Sentencing Guideline or other organizational compliance programs.
To adequately fulfill the SEC expectations, corporations and their leaders generally also will need to assess compliance, controls and exposures considering other cybersecurity duties and risks from key components of public company and other organizations’ operations, heightened exposures to private litigation, audits, investigations and enforcement and other cybersecurity responsibilities and risks subsumed within their public company and employee benefit plan operations. See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards ;Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax Cybersecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Management; HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats; Check Up Updated FinCEN Advisory on Ransomware For Opportunities To Strengthen Defenses; Raise Cybersecurity & Cyberbreach Compliance & Risk Management To Defend Against Rising Cyber Regulatory & Enforcement Risks; DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards.
As the conduct of the compliance and risk assessments necessary to evaluate and determine actions required or recommended in response to the emerging SEC and other cybersecurity obligations and risks could uncover and involve discussions of obligations and options for responding to known or suspected past or existing noncompliance risks, organizations and leaders should conduct their audit and analysis to the extent possible with the guidance of and within the scope of attorney-client privilege.
As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.
Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.
Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures. In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources, government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.
In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis. Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations. As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts. Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification, insurance and other associated protections and cooperation.
Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.
All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.
Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.
Organizations and their leaders also should ensure that their compliance programs are backed up with appropriate governance and oversight to monitor and maintain compliance, address emerging issues and identify and respond to new requirements and incidents with appropriate process and documentation to defend compliance and mitigate other cyber-related risks for their organizations, their investors and their leaders.
We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public companies of all types and sizes, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.
As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies. She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.
American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.
Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE ABOUT THIS COMMUNICATION
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™