Takeaways for Nonprofit Healthcare Systems From SEC Cybersecurity Disclosure Interpretations

August 20, 2024

According to the American Hospital Association, cyber criminals are becoming more organized and sophisticated. For example, in addition to attacks on the troves of patient data held by healthcare systems, cybercriminals now target specific types or brands of medical devices, which provide an almost endless supply of entry points into a network.

When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and Disclosure Interpretations (C&DIs) related to cybersecurity incidents for public reporting companies. While this guidance is not binding on nonprofit healthcare systems that issue bonds, it provides helpful insights.

A previous alert highlighted three takeaways for municipal bond issuers from the SEC’s cybersecurity disclosure rules including the importance of implementing cybersecurity policies. The recent updates to the C&DIs for cybersecurity disclosures provide specific interpretations of when the materiality rules are applicable to cybersecurity incidents. Systems should use these updates to flesh out details in their cybersecurity policy related to incident response. By improving its cybersecurity policy before an incident, a system has less to deal with when one does occur.

Incident Can Be Material Even With Quick Resolution

A quick resolution of the incident is one factor to consider in making the materiality determination but is not dispositive. The C&DIs specify that even if a cybersecurity incident was resolved (or appears resolved), the incident could still be material. The determination must be guided by the principals set forth in the adopting release of the cybersecurity rules: whether there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or whether it would significantly alter the total mix of information made available. 

A cybersecurity policy should not stop the materiality analysis or dismiss the materiality of an incident simply because it was resolved quickly.

Insurance Claim or Payment to Threat Actor Does Not Stop Analysis of Materiality

The C&DIs also specify that even if a payment was made to the threat actor or the registrant relied on insurance to address the incident by making a payment or otherwise, an incident still must be disclosed if it is material. When determining the materiality of an incident, parties should consider all relevant facts and circumstances, which may involve qualitative and quantitative factors, including longer-term effects on operations, brand perception and customer relations. 

These are all factors that nonprofit healthcare organizations should examine when considering disclosures related to a cybersecurity incident. Organizations may have difficulty determining the degree to which any of these long-term effects may be material or need to be disclosed.

Previously, when addressing disclosures regarding the impact of COVID-19, SEC staff indicated that bond issuers (such as nonprofit healthcare systems) should approach these types of disclosures through the “bespeaks caution” doctrine, using proper forward-looking statement disclaimers. A materiality analysis that is overly reliant on quantitative factors, such as the use of insurance proceeds to pay the threat actors, would be incomplete if it did not also consider qualitative factors.

Series of Small Seemingly Unrelated Incidents May Be Material

Like the raptors in “Jurassic Park” testing the electric fence, cybersecurity criminals may initiate an attack through a series of small intrusions that on their own would not appear to be material. The C&DIs state that registrants should consider whether a series of incidents are related — by the actor initiating them, the focus of the intrusion or other connections. Registrants should consider the materiality of the related incidents in the aggregate, rather than individually.

Nonprofit healthcare systems should ensure that their cybersecurity policies account for this factor and should do the same when considering disclosures around cybersecurity incidents. If the incidents are determined to be related in some way, the materiality analysis and any corresponding disclosures should account for the incidents in the aggregate. As with overreliance on the dollar amount of an incident, the overreliance on the size of any one incident fails to consider the bigger picture. When considering cybersecurity disclosures, organizations should ask staff about any prior incidents similar to the immediate incident.

McGuireWoods has published additional thought leadership related to SEC cybersecurity rules and will continue to monitor relevant updates. Please contact the authors for additional information and assistance navigating urgent and evolving legal issues arising from cybersecurity incidents.

Subscribe