Smart executives can be forgiven for misunderstanding the breadth and limits of regulatory power over cybersecurity. Especially given the SEC’s spectacular scene-stealing actions in 2023 and its wing-clipping in 2024, CISOs and non-technical executives may wonder how, whether, and to what degree to adhere to the SEC’s new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule.
To be more concise, what did the cybersecurity rule giveth that the SEC v SolarWinds and Loper Bright tooketh away?
First, let there be no mistake about it; the SEC’s rule (what we at HALOCK affectionately call “CRMSGID,” or crims-ghid) is intact and has the force of law it did when the final rule was published in 2023.
Some confusion arose in July of 2024, however, when two attention-grabbing cases, Loper Bright Enterprises v. Raimondo and Relentless, Inc. v. Department of Commerce, hemmed-in the power of regulators in general, and another case Securities and Exchange Commission v. SolarWinds Corp. & Timothy G. Brown restricted (but did not eliminate) the SEC’s use of its powers to address cybersecurity controls.
Chevron Overturned: Loper Bright and Relentless
The first two cases (which we will abbreviate as Loper Bright) allow courts to interpret vague statutes when someone is suing a regulator for improper enforcement. Loper Bright overturns a landmark decision, Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. that said it was the job of regulators to interpret vague statutes that authorized their enforcement power.
To explain this landmark case, imagine that Congress passes a law (a statute) that requires that all commercial software be placed in escrow to ensure business continuity for its users and licensees. Our example statute authorizes the Department of Commerce to write regulatory rules that describe how the regulation will work, and to enforce those rules. Let’s imagine that the statute says that the code will be “readable” when in escrow. “Readable” is a vague term. It may mean that its programmers can read it in Classical Mongolian when presented inside a PDF, it may mean it’s “readable” by a proprietary interpreter, or it may mean that it is readable using a common text application. Before Loper Bright, if the Department of Commerce and a programmer were in court to disagree about how to define “readable,” the courts would have deferred to the Department of Commerce’s definition; hence, the “Chevron deference.” After Loper Bright, the courts can weigh in on which definition makes sense. After all, said the Supreme Court, it is the job of the Judiciary to interpret the laws, not the Executive where regulators reside.
Does Loper Bright hinder the SEC’s new CRMSGID rule? No. Not in the least. The new rule is not the result of a vague statute. CRMSGID doesn’t even require that any new cybersecurity controls be put in place. It simply requires that public companies disclose how they manage cybersecurity risk to ensure that it does not create a material harm to investors. Nor has any challenge stated that the SEC cannot require disclosures that may impact materiality.
SEC v. SolarWinds Does Not Say What You Think It Says
Spoiler alert. The SolarWinds case doesn’t invalidate or hinder CRMSGID either. Here’s why.
SolarWinds (a publicly listed company) made specific claims on their website about its cybersecurity controls. The company was later attacked by Russian hackers beginning in 2019 and the full nature of that attack was not fully understood until December 2020.
The SEC – who is authorized to protect investors – argued that 1) SolarWinds’ assurances about their cybersecurity controls misled investors, and 2) that SolarWinds failed to provide sufficient accounting controls to protect against the hack. SolarWinds countered with two arguments; their assurances about cybersecurity controls were meant for consumers, not investors, so they should not be of interest to the SEC, and cybersecurity controls are not accounting controls so, again, they should be of no interest to the SEC.
Judge Engelmayer of the U.S. District Court for the Southern District of New York stated that the SEC’s first argument could continue to be argued at trial, but that the SEC’s explicit, statutory authority over accounting controls did not extend to cybersecurity controls.
So, this SolarWinds case does not hinder CRMSGID. The new rule does not require cybersecurity controls. It requires that public companies disclose how they reduce investors’ risks associated with cybersecurity. But, and here’s the clincher, the court explicitly says this on page three of the decision, “These new rules [ed. CRMSGID] are not implicated in this case, which involves conduct predating the new rules’ effective date.”
What Should a Publicly Listed CISO Do?
Follow the regulations as written. Of course, the challenge here is that CRMSGID is new and there is not a lot of specific guidance for filing a worthy 10-K. HALOCK’s Annual 10-K Survey shows reason to suspect that many new 10-Ks are not very truthful about the state of filers’ cybersecurity risk management programs. In the new Items 1C, public companies confidently describe their executive participation in cybersecurity oversight but are much less confident when they respond to anonymous surveys.
HALOCK is an optimistic firm by nature. We believe the SEC has encouraged corporate executives to take charge of their cybersecurity risk first by assuring investors that everything is great, then to implement the risk management, strategy, governance, and incident disclosure practices that they feel so strongly about.
While this may not be the ideal order of events, any good negotiator knows to first get the commitment, then expect the consistency.
For information about how to demonstrate responsible CRMSGID, read HALOCK’s Annual 10-K Survey, and contact HALOCK for demonstrating that your risk management programs are reasonable.