General counsel’s role in cyber disclosure

Is our disclosure process getting the right information from the CISO’s office for sound materiality determinations? What’s being escalated?

The CISO’s team should have processes in place for collecting and analyzing incident data, and categorizing metadata to help link related incidents, as the SEC rule requires. For disclosure, ask the CISO about the incident’s level on the severity matrix, as well as the soundness of the attribution regarding the threat intelligence.

Also ask about the CISO’s escalation procedures. Do they consider materiality factors or are they based solely on technical severity? You’ll likely want to weigh in on those considerations and make sure that the CISO understands the SEC’s requirements. 

The CISO should have a process for detecting and identifying related incidents that share the same vulnerability or the same actor. Once the CISO has identified related incidents, how are the incidents aggregated and escalated for a dispositive determination of materiality? What’s the process for making sure this happens when it needs to?

And what happens when, after an incident has been deemed not material, new information becomes available? How do you confirm that the disclosure committee or others responsible for determining materiality get all the information so they can reconsider their findings if warranted, as the SEC requires?

In anticipation of a cyber incident, consider your existing crisis management frameworks. Assess whether your office is included in this process at the right time, and whether the other teams are educated as to why the GC’s office is integral for the matters on a timely basis. Does someone on your team have cyber expertise or knowledge? Consider bringing them into your discussions with the CISO. Adjust escalation procedures where needed.

Does our process call for contemporaneous notes and logs to explain materiality decisions in a subsequent review? Can we demonstrate the work behind the legal judgments we’ve made regarding when and what to disclose?

Documenting how you determined an incident’s materiality is critical, particularly if you determine it’s not material. If the SEC questions your conclusion, it will be helpful to have documentation of your processes, the quantitative and qualitative factors considered, and the basis for your decision. 

Make contemporaneous documentation as discussions occur, as this will naturally hold more weight as evidence of the decision-making process. Store your documentation for later use, as well, keeping in mind that today’s non-material breach can become material later on as more information comes to light. Should the same threat actors attack again or if others were to exploit the same vulnerability, the SEC’s requirement for aggregating related incidents could be triggered. Be sure to have mechanisms in place for tracking and comparing potentially related incidents.

Also, consider whether privilege can and should be asserted over your materiality analysis and documentation. Are you engaging with outside counsel? Is the broader team outside your group educated on privilege, how to preserve your assertion of privilege, and how best to document in a manner that contemplates discoverability?

How can we draft disclosures in a compliant manner that simultaneously protects confidential information about the organization’s cyber program? 

What’s the right amount of disclosure consistent with the spirit of the rule? Making this call is no easy task, but it’s one GCs are accustomed to.

Information you provide in these filings should be complete, accurate and defensible. As you oversee the drafting of these disclosures, be aware of the need for transparency, which the SEC demands on investors’ behalf, as well as the company’s desire to safeguard proprietary information.

You can disclose properly without divulging sensitive information and creating additional risk. You’ll want to provide technical details in the 8-K regarding what happened and what was exposed. In the 10-K, you’ll need to describe the mechanisms in place and the frameworks you’re using to safeguard your systems, networks and data as well as other non-technical details of your cyber risk management. The key is to strike the right balance between transparency and confidentiality.

If immediately disclosing the incident could pose a substantial risk to public safety or national security, how do we report it to federal law enforcement and confirm that we are well coordinated internally? How will we be informed of any determinations and communications with the SEC that could affect the required timing for our reporting?

The rule does allow for limited disclosure delays in some circumstances. Item 1.05 of form 8-K, under the rule, provides that the US Attorney General may grant disclosure delays in cases where the disclosure might present “substantial risk” to national security and public safety. The FBI says it’s working closely with the DOJ to develop further guidance regarding this provision, including on intake and evaluation processes for delay requests.

Your CISO should have an existing relationship with local/regional FBI cyber representatives. It’s important for the GC/senior legal leader to also cultivate a relationship with the FBI that includes a procedure for contacting them. Determine whether you will contact federal law enforcement in the event of an incident, who will make contact, and what you need to convey. You may also consider a more formal, small “cyber panel” of external counsel in case you need outside advice.

How comfortable are we that the assertions regarding cybersecurity risk in the 10-K are accurate and complete? What level of assurance do we need that our cyber strategy and practices are followed in day-to-day operations?

Your role in reviewing your company’s 10-K disclosure on cyber risk management, strategy and governance for accuracy is critical. The CFO signs a certification each quarter attesting to the accuracy of the information in the filing, often relying on your input. To confirm the information’s accuracy, you and the CFO may both need to ask questions of the CISO.

These questions should go beyond required disclosure elements to address activities the 10-K addresses. For example, does your company use third parties to help manage its cyber risks? You and the CFO should take pains to ask the CISO for those parties’ qualifications, how often they test your company’s systems and their own for vulnerabilities, and the scope and results of those tests. Your disclosures may or may not broach these topics but having good information can help confirm that you’re approving 10-K filings with confidence.

Completeness also matters in providing investors an honest accounting of your cyber risk management program. And as GC, you don’t want to subject your organization to added scrutiny because of vague or incomplete disclosures. Work with your CISO and CFO starting well before the filing date to cover all bases — while, again, not divulging any sensitive technical details.

The CISO will need to identify evidence to support the statement in the 10-K. Are they relying on threat intelligence to help determine risks? What is the quality review of the evidence or intelligence that led to any conclusions? How are the risks being managed? What is the cybersecurity maturity of your organization and what’s being done to improve it? Consider asking outside entities such as external legal counsel and auditors to verify your 10-K claims.

Confirm your 10-K disclosure aligns with other, related compliance and reporting obligations — including cyber requirements from state regulators — for consistency across all compliance points of intersection. Similarly, confirm it’s consistent with prior and planned public statements, press releases and other communications by company officials, and ask questions to understand the reasons for any differences between the 10-K and other disclosures.

How prepared are we to answer questions from the board about our company’s cyber disclosures?

The SEC ultimately decided against imposing a cyber expertise disclosure requirement on boards of directors. But the increased attention to and disclosures on cyber risks will remain a board member focus, with the board likely to request more frequent or more detailed updates relating to cyber risk management and other technology and data related risks. In addition to the guidance from management, the board may also seek to bring in third-party experts to educate its members on cybersecurity threats and risks. 

Work closely with the CISO, CFO, internal audit and others within the organization to prepare for questions from the board, both with respect to disclosures regarding cyber incidents (whether deemed material or not) and with respect to the annual disclosures of cyber risk management, strategy and governance.