SEC Regulations Clash with Best Practices
The battle between the preservation of attorney-client privilege and governmental interests is longstanding. However, recent events specific to cybersecurity incidents are giving the U.S. government the upper-hand in compelling the disclosure of cybersecurity information to the detriment of cyber incident victims.
In January 2023, the SEC won an enforcement action against a large multinational law firm, Covington & Burling, after the firm suffered a 2021 breach at the hands of Hafnium, a Chinese hacking group. After the successful compromise of Covington’s Microsoft Exchange Server, Covington determined that only 7 of its 298 clients had their data exposed after the FBI determined that Hafnium was seeking data about the incoming Biden Administration and any China-based policies.
Seeking to confirm that no publicly-traded company failed to adhere to its disclosure obligations and determine whether non-public information was used for securities trading, the SEC sent a 10-part subpoena to Covington in 2022. Covington complied with each request, excepting only the demand for “production of certain documents concerning the threat actors, access to Covington's systems, including the identity of any public companies whose files were accessed in connection with the Cyberattack.” Claiming attorney-client privilege, Covington withheld the names of its clients, prompting the SEC to seek judicial support from the U.S. District Court for the District of Columbia in Sec. & Exch. Comm'n v. Covington & Burling, LLP, No. 23-MC-00002 (APM), (D.D.C. July 24, 2023).
Garnering national attention and amicus curiae briefs on both sides, Judge Amit Mehta ultimately ruled in favor of the SEC after determining that “[t]he existence of a communication between a client and her attorney is not privileged, even if the content of that communication would otherwise be protected.” Additionally, Judge Mehta found the SEC’s statutory power of subpoena sufficiently tailored in scope and purpose.
While legally sound, Judge Mehta’s opinion sets a strange model for entities impacted by cyber incidents by questioning the strength and scope of the attorney-client relationship when in conflict with government regulation. Further, the SEC published new cyber-attack disclosure guidelines on July 27, 2023, which requires an entity suffering a “material cybersecurity incident” to report the matter to the SEC within 4 days. Unfortunately, both the recent case precedent and regulations are more likely to result in harm to cyber incident victims than improve resiliency and cure market concerns.
Contrary to both common sense and need for patience in analyzing cyber incidents, the new SEC rules impose strict timelines on the reporting of “material cybersecurity incidents.” The SEC defines “cybersecurity incidents” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The impacted entity must determine the incident’s materiality, a classification contingent on whether “there is a substantial likelihood that a reasonable shareholder would consider it important.” Any doubts on materiality are resolved in favor of an investor’s concerns. It is the impacted entity’s responsibility to determine the nature, scope, timing, and impact of “material” cybersecurity incidents “as soon as reasonably practicable after the discovery of the incident.” Once materiality is determined and assessed, the impacted entity has 4 days to report the matter to the SEC.
While the SEC has a legitimate interest in ensuring that securities transactions maintain integrity, the new rules are ambiguous and encourage missteps in the name of compliance. The SEC attempted to define “material” before tendering the responsibility of this determination to the impacted entities themselves. However, this failure to articulate minimum, empirical thresholds for materiality encourage unpredictable and subjective determinations, leading to inconsistent results.
More worrisome is that in their rush to comply, impacted entities may act on inaccurate or incomplete information, forfeiting any existing operational security. These guidelines fail to consider the constantly volatile nature of cybersecurity breaches. Speed is not the most important element in a cybersecurity investigation, and sometimes it can lead to more damage for the breached entity.
For example, once an entity has been hacked, the hackers will attempt to stay in the servers for as long as possible and collect as much data as possible before being discovered. The last step for a hacker is to encrypt all the victim’s data, and even the backups of the data, so they can then hold that stolen data for ransom or extortion potential. However, if an entity detects hackers in their system, and the hackers realize they are caught, they will try to steal, encrypt, and delete as much data as possible, as quickly as possible, before they are purged. This scenario often results in a total, irrecoverable loss for the victim.
However, if an entity becomes aware they are hacked, but at the same time makes sure to not alert the hackers that they are aware, they can take steps to save their data and stop the hackers from encrypting or deleting it all. Accordingly, the SEC guidelines prioritize speed over calculated response, which may cause more destruction for the individual victims than anticipated.
 SECURITIES AND EXCHANGE COMMISSION, Applicant, v. COVINGTON & BURLING, LLP, Respondent., No. 23-MC-00002 (APM), 2023 WL 4706125, at *2 (D.D.C. July 24, 2023)  SECURITIES AND EXCHANGE COMMISSION, Applicant, v. COVINGTON & BURLING, LLP, Respondent., No. 23-MC-00002 (APM), 2023 WL 4706125, at *4 (D.D.C. July 24, 2023)