Regulators’ data breach response signals challenges to compliance with its own rules

On June 2, 2023, the U.S. Securities and Exchange Commission (SEC) released a statement informing the public that an internal data breach from 2017 had a much greater impact than previously believed. This news arrives in the midst of proposed amendments to the SEC’s rules regarding cyber incident reporting by public companies. The agency’s own breach highlights the operational difficulties and potential adverse effects of complying with this impending – although not yet finalized – rule change.

The SEC data breach

In April 2022, the SEC reported that some of its enforcement staff members accessed privileged materials relating to the adjudication of cases being litigated in its in-house court system. More than a year later, after conducting an internal review, the SEC has now reported that 89 of its cases have been affected, rather than the previously reported two cases .

Canadian capital markets regulators have not been immune to data incidents of their own – the Investment Industry Regulatory Organization of Canada (IIROC) was recently the subject of a privacy class action in Québec in connection with a 2013 data breach (although this class action was ultimately dismissed).

The proposed reporting rule change

Announced in March 2022, the SEC’s proposed rule change will introduce an enhanced and standardized disclosure regime for cybersecurity risk management, strategy, governance, and incident reporting for public companies. Among other things, the SEC will mandate the disclosure by SEC registrants through Form 8-K of information related to “material cybersecurity incidents” within four business days of determining that the breach is material. A “cybersecurity incident” is an unauthorized occurrence on an SEC registrant’s information system that jeopardizes the confidentiality, integrity, or availability of the system, including any information residing in it. Information about such an incident is considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” The proposal indicates a number of key types of information to be disclosed in Form 8-K:

• When the incident was discovered and whether it is ongoing.
• A brief description of the nature and scope of the incident.
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
• The effect of the incident on the registrant’s operations, and
• Whether the registrant has remediated or is currently remediating the incident.

Notwithstanding the expectation of such detailed disclosure, affected regulated parties will not be required to publicly disclose specific information about a planned response to the incident or potential system vulnerabilities which would impede the response itself.

The SEC has presented this rule change as an instrument for investor protection to standardize disclosure, alleviate concerns about underreporting, and to provide timely and consistent notification to investors of material cybersecurity incidents. However, the proposed amendments, especially the four day reporting requirement, has been the subject of significant criticism from industry commentators. As evidenced by the SEC’s own experience, the full scale and impact of an incident is rarely known at such an early stage, and publicly releasing incomplete (and often inaccurate) information could not only confuse investors, but also expose registrants to liability for misleading investors. Early disclosure may also compromise internal investigations and hamper remediation efforts by tipping off cybercriminals, causing further harm to the company and investors.

Neither of the SEC’s April 2022 disclosure, nor the June 2023 disclosure, mention the date at which the incident was determined to be material, calling into question whether the SEC was able to follow its own proposed disclosure requirements.

Canadian disclosure obligations

Canadian public issuers are required by provincial securities regulators to disclose material changes that would be reasonably expected to impact the market price or value of the company. As indicated by Staff Notice 51-347, cyber incidents may fall into this category under certain circumstances. While Canadian securities regulators have published guidance on cyber incidents, including general expectations for disclosures, the specific details of such disclosure is largely left with the affected issuer to define. The regulatory guidance does acknowledge that what constitutes a material breach may vary depending on the industry, the type of incident, and the extent of the consequences. On the issue of timing, the guidance recognizes that there is often a delay between the occurrence and the discovery of a breach, and assessing the full extent of the impact may take time. Finally, in its disclosure, an issuer should consider providing “visibility as to the anticipated impact and costs of the incident.”

In addition to the requirements under Canadian securities laws and regulations, organizations may be required to report certain types of cyber incidents under applicable provincial and federal privacy legislation. For instance, organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) must report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals, to the Privacy Commissioner of Canada and notify affected individuals.

Takeaways

The SEC’s changes to its disclosure requirements regarding cyber incidents have been highly anticipated for more than a year, and follows from the SEC’s recent increased efforts to address the capital market implications of cybersecurity. In contrast to the SEC proposals, the more “principle-based” Canadian approach released back in 2017 provides significantly more flexibility for reporting issuers to determine the content of disclosure based on their own assessment of materiality. It remains to be seen if the SEC will amend the proposed rule change based on its own recent experience.

Since this posting, the U.S. Securities and Exchange Commission (SEC) has released the final mandatory cybersecurity disclosure rules. Read about them in our blog post of August 25, 2023.