The growing frequency and public awareness of cyberincidents, evolution of technologies employed by intruders, and proliferation of personal data and infrastructure vulnerable to attack have all contributed to heightened regulatory scrutiny of corporate cybersecurity measures. Public companies are now expected to publish and update timely disclosures about cybersecurity risks affecting their business, to implement measures to prevent or mitigate the harms resulting from a cyberincident, and to notify and cooperate with government investigators after a material breach.
Here are some best practices for handling these challenges in the modern regulatory environment, with a specific focus on US Security and Exchange Commission (SEC) and US Department of Justice (DOJ) enforcement.
- Companies must consider a broad range of notification and disclosure requirements under federal and state law, including notifying the FBI and local authorities, investors, and potentially affected parties. Reporting a cyberincident to law enforcement can both give companies access to the resources of law enforcement to combat an active attack and have additional benefits if an incident is investigated by regulatory agencies.
- The FBI’s Cyber Task Forces, located in each of its 56 field offices across the country, deliver investigative response services through the FBI’s Cyber Action Team, which consists of a cadre of highly trained and experienced FBI special agents and computer scientists capable of deploying globally in response to particularly sophisticated cyberincidents.
- The Federal Trade Commission has affirmed that it views companies that report data breaches and cyberincidents to law enforcement and cooperate with the subsequent investigation more favorably than those that do not.
- All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information andhave data breach notification laws that set forth overt or implicit disclosure requirements based on particular cybersecurity events. Registrants should be familiar with the laws of the states where they do business and any applicable bright-line disclosure thresholds, which may shed light on what constitutes a “material” incident necessitating SEC disclosure.
- With regard to the disclosure of forward-looking cybersecurity risks to investors, the SEC has identified the following factors: the occurrence of prior cybersecurity incidents, including their severity and frequency; the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventive actions taken to reduce cybersecurity risks and the associated costs; the costs associated with maintaining cybersecurity protections; existing or pending laws; and litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
- Appropriate internal controls around insider trading are also important to protect corporate executives and employees. Both the DOJ and the SEC can bring criminal charges against individual executives who trade on inside information, so companies should consider reviewing their internal controls and procedures for preventing insider trading following a data breach, including written policies and employee trainings; preclearance of trading in the company's stock by individuals who may have access to cybersecurity-related nonpublic information; and procedures for reporting of cybersecurity incidents.