SEC Cybersecurity Rules: A Guide for Whistleblowers

An incident is based on materiality, meaning: if a shareholder would consider important in making sound investment decisions, the incident likely meets the “materiality” criteria. Materiality is an inquiry based on the company and special circumstances of the incident. For example, determining significance depends on many factors, which may include:

• Incident Severity: was the incident major, such as one that can cause a system outrage? Or was the incident just an insignificant data breach?
• Financial Loss: did the incident cause major losses or reputational damage? Was there a pause in operations because of the incident?
• Data Sensitivity: did the data that was compromised contain confidential or personally identifiable information that could cause disruption?
• Regulation: were there regulations or other laws within your industry that require disclosure of such incidents?

Cybersecurity Incident Types

There are many different types of ways in which an organization’s information or IT systems can be compromised. Compromised meaning: the integrity, confidentiality, or availability of the system falls below best security standards.

Below are a few of the types of incidents that could occur, which may require a disclosure:

• Data breaches: unauthorized access to sensitive data, such as customer records, financial information, or intellectual property.
• Zero-day attacks: these are attacks that exploit an unknown software vulnerability for which there is no available patch.
• Malware attacks: infection of systems with malicious software, like viruses, ransomware, or spyware.
• Phishing attacks: deceptive tactics used to trick individuals into revealing sensitive information, like passwords or credit card numbers.
• Denial-of-service (DoS) attacks: overwhelming a system or network with traffic, making it inaccessible to legitimate users.
• Insider threats: malicious actions by employees or contractors who have authorized access to systems.
• System failures: hardware or software malfunctions that disrupt operations.
• Human error: mistakes made by employees that lead to security breaches.

Cyber threats are constantly evolving and so are the sophisticated tactics, techniques, and procedures to cause harmful cybersecurity incidents. Companies need to have a clear plan for detecting, containing, investigation and recovering from such incidents, and hardening their systems against such incidents, or they may be subject to regulatory scrutiny and enforcement.

What about 3rd Party Breaches?

If an incident happens on a third-party platform, companies may still be required to disclose it, regardless of where the incident happened and how much information is available.

Four-Day Deadline

The four-day reporting deadline starts when you determine the incident could have a material impact on your company, not when the incident was discovered. You may need some time to assess the situation and determine materiality.

Delay Provision for Incident Disclosure

There are ways to delay the reporting of a cybersecurity incident, if say the incident poses a risk to public safety. For now, the limit is 120 days, which can be extended upon SEC’s approval.

The FBI basically takes intakes on behalf of the DOJ and believes that a delay is warranted if there is a concern that the incident has an impact on national security or public safety. For a company to use the delay provision, they must file with the FBI through another U.S. agency.

See the DOJ Cyber Incident Notification Delay Guidelines for more information on this.

The SEC’s new cybersecurity rule mandates that registrants disclose details about their cybersecurity risk management practices. This includes how cybersecurity is integrated into their risk management, the use of third-party assessors or consultants, processes for identifying risks from third parties, and the impact of past or potential future cybersecurity incidents.

Additionally, companies must disclose the board’s role in overseeing cybersecurity risks, the specific committee responsible for oversight, and the processes for informing the board about cybersecurity risks. Companies must also disclose the management positions responsible for cybersecurity, the relevant expertise of those individuals, processes for monitoring and addressing cybersecurity incidents, and reporting mechanisms to the board.

On March 15, 2023, the Securities and Exchange Commission proposed a new rule which would require market entities to address their cybersecurity risks.

Market entity refers to any broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”) to address their cybersecurity risks.

According to the Cybersecurity and Infrastructure Security Agency, the financial services sector is critical, “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” This rule addresses such concerns.

Key Requirements for All Market Entities

The rule would require that large financial institutions must implement strong cybersecurity programs and practices, such as regular risk assessments, strong access controls, incident response plans, and regular reviews and assessments of cybersecurity policies and procedures.

Key Requirements for Covered Entities

Covered entities will be required to implement key cybersecurity measures. These include conducting periodic risk assessments to identify and document potential vulnerabilities, implementing strong access controls to prevent unauthorized access, and monitoring systems to detect and respond to threats.

Additionally, covered entities must have robust incident response plans to handle cybersecurity incidents effectively. Finally, they will be required to publicly disclose information about their cybersecurity risks and incidents on Part II of the proposed Form SCIR. Proposed Rule 10 would require that covered entities provide immediate written notice to the SEC of any significant cybersecurity incident.

The SEC Whistleblower Program allows whistleblowers to report securities fraud and other violations of federal securities laws, such as violations of the SEC cybersecurity rule, to the Commission. There are several key features of this program, which include the following:

• Monetary Awards: eligible whistleblowers can receive awards between 10% and 30% of the total monetary sanctions collected in SEC enforcement actions exceeding $1 million.
• Protection Against Retaliation: the program provides strong protections against retaliation from employers and maintains strong confidentiality.
• Anonymity: whistleblowers can choose to remain anonymous during the reporting process (and award claims process), but they must hire an attorney.

The SEC Whistleblower Program has proven to be a powerful tool in combating financial fraud and corporate misconduct. By incentivizing whistleblowers, the program has led to numerous successful enforcement actions and recovered billions of dollars for investors.

By reporting potential securities law violations, whistleblowers help protect investors, strengthen security practices within the financial sector, and maintain market integrity.

Reporting Your Concerns

Whistleblowers may report their concerns using the SEC’s online Tips, Complaints, Referrals (TCR) system. They can also mail or fax their Form TCR to the following address:

SEC Office of the Whistleblower (c/o ENF-CPU)
14420 Albemarle Point Place, Suite 102
Chantilly, VA 20151-1750
ATTN: SEC TCR SUBMISSIONS

However, given the complexity of whistleblowing, rules for disclosing information, and deadlines, we strongly suggest contacting an experienced SEC whistleblower attorney. Failure to do so could result in your tip not being pursued by the Commission or you receiving a lesser award amount.

More importantly, it’s important to keep in mind that if you choose to submit your information anonymously, i.e., without providing your identity or contact information, you must be represented by, and provide contact information for, an attorney in connection with your submission to be eligible for an award.

Led by former SEC acting chair and commissioner Allison Herren Lee, former SEC Enforcement Senior Counsel Andrew Feller, and renowned whistleblower attorney Stephen M. Kohn, our team has been shaping the landscape of whistleblower protection for over 35 years.

If you have information regarding violations of cybersecurity rules and other securities laws violations, our team is ready to help. Contact us today for a free case evaluation. There’s no fee unless we get you an award.