Attorney flags potential security risk in SEC cyber incident disclosure proposal

New cybersecurity disclosure requirements that the Securities and Exchange Commission proposed are poised to bring more transparency to cyber incidents and public companies' strategies for dealing with ever-evolving threats, but could also put a target on a company's back or open them to more litigation risk, attorneys with Baker Botts said April 20.

The March 9 proposal from the SEC comes as the cyber threat to US energy assets has been heightened by the possibility of retaliatory cyberattacks from Russian actors as the US, along with European leaders, continue to ratchet up sanctions and tighten penalties on Russian President Vladimir Putin's inner circle over the invasion of Ukraine.

US, Australian, Canadian, New Zealand and UK cybersecurity authorities issued a joint cybersecurity advisory April 20, warning critical infrastructure network defenders to be on the lookout for malware, ransomware, distributed denial-of-service attacks, cyber espionage and other cyber threats. The advisory urged critical infrastructure operators to harden their cyber defenses and perform due diligence in identifying indicators of malicious activity.

In addition to laying out steps companies should take to prepare for and mitigate potential cyber threats, the advisory also gave an overview of known Russian government and military organizations and cybercrime groups, as well as provided a playbook of their high-profile activities.

"Russian state-sponsored cyber actors have demonstrated capabilities to compromise [information technology] networks; develop mechanisms to maintain long term, persistent access to IT networks; exfiltrate sensitive data from IT and operational technology networks; and disrupt critical industrial control systems/OT functions by deploying destructive malware," the advisory said.

It added that "some cybercrime groups have recently publicly pledged support for the Russian government." Some of those groups "have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people," while others "have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine."

Public reporting

While other regulatory and legal measures have mandated cyber incident reporting to a federal agency in a mostly confidential manner, the SEC proposal would require a company to disclose to the public, through an 8-K filing, a cyber incident within four days of determining the incident was material.

There would also be quarterly and annual obligations to update the public on the cyber incident as well as continuous reporting of a company's cyber risk-management policies, procedures and strategy; its cybersecurity governance structure; and the cybersecurity expertise of board members.

Cynthia Cole, a partner at Baker Botts, anticipates that the SEC's proposed rule will be finalized this summer with few, if any, changes to its current form.

It will "create much more of an atmosphere of transparency," and potentially give shareholders, investors and competitors the ability to start to "compare apples to apples" in terms of companies' cybersecurity approaches, she said during a webinar hosted by her firm and industrial cybersecurity company Dragos.

Matthew Baker, also a partner at Baker Botts, commended the added visibility the rule would bring to cybersecurity, including creating more awareness and spurring more cyber training, but he also saw potential downsides.

"Something that really struck me about this was if you're in the midst of an incident, publicly reporting something only increases your exposure as a persistent target and your resources are already diminished," Baker said. "And ... these threat actors are sophisticated. They are reviewing public material, whether it's press releases, through M&A transactions for deals that are going on, or disclosures that may be happening publicly or now even disclosures that are happening from an 8-K requirement perspective. To me, it just seems like you're inviting more of an attack upon yourself."

Litigation risk

As far as resolving this tension created by having to respond to and report on a cyber incident, Rich Witucki, a senior industrial consultant at Dragos, said companies should be conducting tabletop exercises to practice their cybersecurity incident response plans and improve success rates.

"The beauty behind the tabletop exercise is that it doesn't necessarily cost a lot of money to perform them, he said. "You can do a bunch of those tabletop exercises. ... And then you start getting some of the C-level people involved and they ... learn a lot from both the IT and the OT cybersecurity folks when they do that."

Cole also recommended tabletop exercises. She acknowledged, however, that more transparency also means more litigation risk and ties into a company's fiduciary duties.

"So if you are on the executive team, you're on the board, you can no longer just, frankly, go get your buddy that you've known for 30 years to just be on the board with you," she said.

Rather, she said that companies will have to take a hard look at their boards, C-suites and management and consider whether individuals already in place or being considered for hiring will be responsive to the cybersecurity needs of the company.

Reporting out publicly as opposed to a specific agency demands "a whole other level of thought process and internal organization," Cole asserted. But she saw increased transparency as overall positive for the market.

Once the public at large sees that a company can report a cyber incident and "everything is sort of still moving along at the right pace, then there's less shock value in each disclosure," she said.

"Ideally, what [the rule] does is it should make people more energized to know about potential problems much, much earlier in the process so that it doesn't become a reportable incident," she said. "What should be the driving factor inside the organization is if we have to talk about this openly and publicly ... after the chaos, then we should be more intently scrutinizing and collecting information about patches and potential vulnerabilities and putting in place a structure that encourages that."