The U.S. Securities and Exchange Commission (SEC) promulgated new rules on cybersecurity disclosures, which went into effect on September 5, 2023. While private companies are not subject to these rules, as discussed below, there are several reasons why they should consider adopting these rules for their cybersecurity program.

Generally, the rules require public companies to promptly disclose material cybersecurity breaches and to provide annual disclosures regarding the company’s cybersecurity strategy, risk management, and governance. Under the new rules, public companies must provide:

• A disclosure in Form 8-K with information regarding a material cybersecurity incident within four business days after the incident is deemed material.
• An amendment of a prior Form 8-K disclosure of a cybersecurity incident to add any required information that was not unavailable when the initial Form 8-K was filed.
• Annual disclosures in Form 10-K describing the company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
• Annual disclosures in Form 10-K describing “management’s role in assessing and managing material risks from cybersecurity threats” and “the board of directors’ oversight of cybersecurity risks.”

The SEC’s rules are meant to provide investors with timely, consistent, and actionable information related to cybersecurity. As risks related to cyberthreats grow in significance and impact on business’s bottom lines, many investors may consider a company’s cybersecurity program relevant to their investment decisions.

Private companies—like public ones—face the same growing cyberthreats with the growing use of digital technologies and artificial intelligence in virtually all sectors and industries, including the adoption of hybrid work and the push to accept cryptocurrencies. Therefore, understanding the company’s cyberthreat exposure and having a clear strategy and risk management approach to cybersecurity is critically important to private companies, even if they are not required to follow the SEC’s public disclosure rules. 

Is Your Company Ready to Go Public?

Any private company considering an initial public offering (IPO) or an acquisition by (or a merger with) a public company may find its cybersecurity strategy, risk management, and governance to be a major element of the due diligence involved. If a private company’s cybersecurity policies and procedures, systems, and processes are found to be lacking—perhaps because they do not follow the latest SEC guidance or the best practices in the company’s industry—a potential partner may find it an unacceptable risk and a sufficient red flag to walk away from the deal.

The SEC’s new disclosure rules constitute a helpful roadmap for private companies regarding the information that financial institutions and public companies will look for when conducting due diligence. Thus, while a private company need not provide public disclosure of its cybersecurity program, it may be helpful to consider creating an internal process for reviewing and reporting on the company’s cybersecurity strategy, risk management, and governance to the Board of Directors (in lieu of the SEC), so that it has all its cybersecurity ducks in a row for a future IPO, merger, or acquisition.

Best Practices to Avoid Data Breaches and Stave off Potential Litigation in Case of a Cybersecurity Incident

Even if the private company does not foresee becoming a public entity in the future, there are still good reasons for adopting the policy objectives behind the SEC’s new disclosure rules.

First, cyberthreats are rapidly evolving, and a business’s cybersecurity posture must keep up with the new threats. To do so, companies must take a proactive approach to cybersecurity. This includes having an informed and supportive C-suite willing to delve into the company’s cybersecurity strategy and risk management. An annual report about the company’s cyber vulnerabilities modeled on the SEC’s new reporting rules can be an efficient approach to helping management stay abreast of the effectiveness of the company’s cybersecurity program. Such a report is especially effective when coupled with annual training focused on recent trends in breaches and innovations in cybersecurity technology, as well as a tabletop exercise to identify and mitigate company-specific cybersecurity risks. 

Second, following best practices for cybersecurity can reduce the risk of a company being successfully sued in the aftermath of a breach that puts the sensitive personal identifiable information (PII) of its customers, vendors, or employees at risk. Adapting the SEC’s new reporting rules to the specific circumstances of the private company can help show that the company was following best practices in cybersecurity governance, making it more difficult for plaintiffs to claim that management was negligent in protecting PII.

Even if a lawsuit is ultimately unsuccessful, litigation can be a costly distraction. Consider, for example, the case against LinkedIn over the leak of approximately 6.5 million of its users’ passwords following a data breach. Plaintiffs alleged that LinkedIn was not following best practices because it hashed its passwords (i.e., converted them from plain text to cipher for storage) but did not salt them (i.e., by adding random characters to the passwords before hashing). Even though, ultimately, LinkedIn only paid $800,000 to settle the case, it incurred millions of dollars in costs during three years of litigation up to that point. While it is not a magic bullet, evidence that a company follows cybersecurity best practices may deter plaintiffs and reduce the likelihood of an expensive court battle. Using the SEC’s new reporting rules as a blueprint can help a company gather and maintain a record of its commitment to cybersecurity. 

If you would like to adapt the SEC’s new reporting rules for your cybersecurity program, we can help. Contact Dr. Ronald Menold, Director, Cybersecurity Services, to discuss the best options for implementing these rules internally. For questions regarding reporting obligations for SEC reporting companies, please contact our Capital Markets & Securities Group. For more information on the SEC’s cybersecurity rules, please refer to the following alert.