The rules on reporting cybersecurity risks and incidents pose many challenges for companies. Those challenges can be even more difficult when the cybersecurity incident affects third-party systems. With no exceptions for third-party cybersecurity incidents under the new cybersecurity reporting regulations, companies should take proactive steps to assess and respond appropriately to third-party cybersecurity incidents.

The SEC’s New Cyber Risk Regulations

In July 2023, the U.S. Securities and Exchange Commission (“SEC”) promulgated new regulations (“Cyber Risk Regulations”) that, among other things, require public companies to report cybersecurity incidents within four business days of a materiality determination via Item 1.05(a) on Form 8-K. See SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations, from our colleagues at Privacy World.

The Cyber Risk Regulations require companies to evaluate and report “material” cybersecurity risks and incidents in a timely and consistent manner. The SEC has refused to provide a cybersecurity-specific definition of materiality, opting instead to lean on the materiality standard articulated by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976): a fact is “material” if “there is a substantial likelihood that a reasonable investor would consider it important” in making an investment decision or if it “would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available” to the shareholder. The SEC has provided some guidance for companies regarding materiality, noting that companies should evaluate quantitative harms (e.g., lost revenue, remediation costs, and loss of the company “crown jewel”) as well as qualitative ones (e.g., loss of customer confidence and other reputational harms).

How do the Cyber Risk Regulations Apply to Incidents Affecting Third-Party Vendors?

Challenging as these rules are to apply when a company is navigating its own cybersecurity incident, they gain additional complexity when the underlying cybersecurity incident affects a third-party system. Many companies utilize third-party IT vendors to host and store data, and most share at least some data with third-party vendors. Often, companies have limited visibility into third-party vendors’ data-storage and transfer services, making it difficult to assess when and what information may have been impacted by a third-party cybersecurity incident.

The SEC received numerous comments during the rulemaking process requesting further consideration of the third-party systems question. Some commenters requested a safe harbor for information provided to third-party systems. Others suggested extending the four-day reporting period, while still other commenters requested an exemption from the disclosure requirement altogether.

The SEC, however, rejected calls for exemptions or delayed disclosures of incidents connected with third party systems. In justifying its decision, the SEC stated that whether an incident occurred within a third-party system is not relevant to the materiality determination. The SEC explained that it was unlikely that a reasonable investor would consider a breach insignificant merely because the data affected was housed by a third-party. Rather, the materiality determination hinges on how the cybersecurity incident affects the company and/or data itself. In addition, the SEC responded to concerns about limited visibility into third-party vendors’ systems by stating that companies should report based on the information reasonably available to them, such that it would be “generally” unnecessary to conduct additional inquiries outside of regular channels of communication with third-party vendors.

What Can Companies Do to Manage the Reporting Risk Created by Third-Party Cyber-incidents?

When a cybersecurity incident affects a third-party vendor, companies will often have limited visibility into the scope of the breach and even less control over remediation efforts. To mitigate these risks, companies should consider implementing data management and monitoring policies and procedures prior to sharing information with third parties. For example, data should be reviewed for sensitive information, like personally identifiable information. Such information should be removed before it is transmitted to third parties whenever possible. Companies should conduct audits to assess and review data shared with third-party systems on a regular basis and, to the extent possible, compile reports regarding cybersecurity risks and vulnerabilities concerning such data. 

Similarly, companies should maintain a record of all data and information shared and/or stored with third-party systems, particularly when information and data could lead to financial or reputational harm. This way, in the event of third-party incident, the company can quickly assess what information is potentially at risk, even if it does not know the full scope of the third-party’s cybersecurity event. For example, if the company knows that the potentially compromised data would not be material to shareholders, even in the worst-case scenario, it can quickly and efficiently make the requisite materiality determination. But if, on the other hand, the company is scrambling to determine what information has been shared with the vendor, it risks delay, inaccurate reporting, and potential trouble with investors and the SEC.

Proactive safeguards like these are valuable as a practical matter. Although the SEC’s response to concerns about limited visibility suggested that the agency was not necessarily expecting additional inquiries outside of regular channels of communication with third-party vendors, immediate responses to data breaches concerning third-party vendors may tend to disrupt those regular channels, as vendors involve outside counsel and forensic teams.

As the SEC indicated, the materiality determination hinges on whether the data stored with the third-party system was impacted. In the event of a cybersecurity incident concerning third-party systems, companies with proper management and monitoring processes will be better positioned to assess what information is at risk and whether such information may be material. Preparing such information before a cybersecurity incident occurs may also assist companies in responding to SEC inquiries, particularly when a company has determined the breach does not warrant disclosure.

Being able to “show your work” is critically important, as the SEC has increasingly scrutinized companies not just for making a wrong materiality decision, but for failing to have proper controls in place to assess the materiality of the cybersecurity incident in the first place. Companies should be prepared to generate sufficient, real-time documentation supporting their materiality determination and the processes and procedures utilized in reaching that decision, even when the cybersecurity incident concerns a third-party system and even if the incident is immaterial.