Compliance with the Securities and Exchange Commission’s cybersecurity disclosure rules once they’re finalized won’t necessarily protect your board of directors against a duty-of-oversight challenge under Caremark, say cybersecurity legal specialists in an ACC Docket analysis.
At some point a company will likely try to cite its compliance with the rules as de facto proof that its board of directors has met the standard that the closely watched Delaware Chancery Court has applied since 1996.
Under Caremark, directors have a fiduciary responsibility to stay informed on what the company is doing and act in good faith based on what they learn to meet their duty of oversight and avoid personal liability when things go wrong.
But it would be a mistake to think meeting the SEC rule, as it stands in its proposed form, is the same as having a process in place for the board to meet its fiduciary duty when it comes to cybersecurity matters, say Daniel Berick of Squire Patton Boggs and J. D. Bridges of Theta Lake in their analysis.
“Compliance [with the SEC rules] would and should carry some weight with Delaware courts,” the attorneys say. “But the SEC should not become a de facto safe harbor.”
Reporting to investors
The SEC rules as proposed last year in March are about disclosure and reporting to investors what a company is doing on the cybersecurity front, not whether the measures in place are adequate.
Among other things, companies are to report on incidents and provide updates on previously reported incidents. They also are to disclose their security processes, who on their board has cybersecurity expertise and what management is doing about security.
What the rules don’t do is provide guidance on what is and isn’t adequate security. For that reason, it’s possible a company can comply with the rules without the board being much wiser about whether the protections are adequate.
“Whether or not all these rules will actually make companies — and, therefore, their customers — safer is a matter of debate,” the attorneys say.
The rules could even make companies less safe to the extent they report on their vulnerabilities, effectively giving cyber criminals a roadmap for breaching their systems.
“Companies may end up not only disclosing information that may be of concern to investors as they look for possible regulatory violations and disruption to operations, but also exposing technical vulnerabilities and inadvertently putting a company at risk for further attacks,” they say.
What’s more, since the reporting audience is shareholders, not consumers, companies could be reluctant to disclose on reputational grounds incidents that don’t meet the disclosure threshold.
“Boards are already incentivized by market pressures to minimize or not report events that may be on the threshold of materiality since the reputational risks of a major cybersecurity event can be significant,” the attorneys say.
There are other agencies looking at companies’ cybersecurity posture, most notably the Federal Trade Commission.
There are also other regulatory bodies that have cyber enforcement authority, from a consumer rather than a shareholder standpoint, that stem from the new California data privacy law and the European Union’s General Data Protection Regulation.
But what’s missing is a comprehensive federal law.
“Until any such legislation actually makes it out of the U.S. Congress with its teeth intact, the public should not assume that the proposed SEC rules will force companies to make significant improvements in their cybersecurity posture,” they say.
A federal data privacy law, called the American Data Privacy Protection Act, passed a key House committee last year but it’s unclear what progress it will make in the next year or so.
From a board standpoint, Caremark remains a high bar to meet. No board has been held liable under it since Delaware courts began using it as a standard in 1996.
But since 2019, courts have become more inclined to let cases proceed. A recent case looked at whether Boeing’s board of directors failed in their duty of oversight by not requiring the company’s management to set up a system to keep it informed of safety issues. The matter was settled out of court, but only after the court had denied the company’s motion to dismiss.
“It’s … crucial to understand the difference between complying with data privacy regulations — which most lawyers today understand is crucial — and having truly good cybersecurity,” the attorneys say.