Skip to Main Content

August 04, 2023
Health Law Weekly

The Nexus Between the SEC’s Final Rule and the Health Care Industry

  • August 04, 2023
  • Rachel V. Rose , Rachel V. Rose—Attorney at Law PLLC
  • Bob Chaput , Clearwater
computer with health information

In March 2023, we wrote the article, Why ALL Health Care Organizations Must Care About SEC Proposed Cybersecurity Rule Changes,[1] which highlighted the U.S. Securities and Exchange Commission’s (SEC’s) March 9, 2022 announcement of its proposed rules related to cybersecurity requirements (i.e., risk management, corporate governance, and incident disclosures).[2]

While testifying in front of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Gary Gensler stated, “[t]he proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”[3] The wait is over. On July 26, 2023, the SEC released its final rule related to cybersecurity. Specifically, the final rule requires registrants and foreign issuers alike “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”[4]

This article highlights some of the key areas that health care sector participants—public, private, and not-for-profit—should consider in relation to enterprise risk management and policies and procedures.

Final Rule

The focus of the final rule is enabling investors “to evaluate registrants’ exposure to material cybersecurity risks and incidents as well as registrants’ ability to manage and mitigate those risks.”[5]

Only two of the four significant proposed changes made it into the final rule (i.e., updates on material incidents via 10-Q and 10K filings and disclosures of board cybersecurity expertise were not adopted), and the level of detail required on both material cybersecurity incidents and cybersecurity risk management, strategy, and governance was greatly reduced.[6] However, health care organizations would be wise to reference the original proposed rules as a harbinger of future requirements in these and other emerging regulations, such as the New York Department of Financial Services tightening requirements around cyber incident reporting[7] and the proposed rules on the Cybersecurity Maturity Model Certification (CMMC) and Defense Federal Acquisition Regulation Supplement, which are slated for release for public comment in September 2023.[8] The proposed regulations provide critical guidance on risk management, cybersecurity recordkeeping, and reporting processes.

As an example of the guidance provided by the SEC rulemaking process, under the proposed rule changes, disclosure about an organization’s risk management strategy required addressing eight specific items in the form of a discussion of whether:

  1. The registrant has a cybersecurity risk assessment program, and if so, provide a description of such program;
  2. The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
  3. The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider, including, but not limited to, those providers that have access to the registrant’s customer and employee data. If so, the registrant shall describe these policies and procedures, including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  4. The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents, and if so, provide a description of the types of activities undertaken;
  5. The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  6. Previous cybersecurity incidents informed changes in the registrant’s governance, policies and procedures, or technologies;
  7. Cybersecurity-related risks and previous cybersecurity-related incidents have affected or are reasonably likely to affect the registrant’s strategy, business model, results of operations, or financial condition and if so, how; and
  8. Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation, and if so, how.[9]

The final rule significantly reduces the level of detail, which may be good for ease of reporting but not necessarily for building and implementing a strong cyber risk management program. The final rule streamlines the risk management disclosure requirements and requires organizations to:

  1. Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:

(i) Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;

(ii) Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and

(iii) Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

  1. Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.[10]

The final rule should be reviewed with an eye towards risk, governance, materiality, and legal implications. The final rule also captures the essence of what standards (i.e., National Institute of Standards and Technologies (NIST))[11] and laws should be considered:[12]

Some registrants are also subject to other mandates regarding cybersecurity risk management, strategy, and governance. For instance, government contractors may be subject to the Federal Information Security Modernization Act, and use the NIST framework to manage information and privacy risks. Certain financial institutions may be subject to the FTC’s Standards for Safeguarding Customer Information Rule, requiring an information security program, including a qualified individual to oversee the security program, and the provision of periodic reports on the cybersecurity program to a company’s board of directors or equivalent governing body. Under HIPAA regulations, covered entities are subject to rules that require protection against reasonably anticipated threats to electronic protected health information. International jurisdictions also have cybersecurity risk mitigation measures and governance requirements (see, for example, the GDPR). These rules and regulations provide varying standards and requirements for disclosing cybersecurity risk management, strategy, and governance, and may not provide investors with public or clear and comparable disclosure regarding how a particular registrant manages its cybersecurity risk profile.

As a reminder, despite the SEC final rule only mentioning Health Insurance Portability and Accountability Act (HIPAA) covered entities, business associates, which include subcontractors,[13] are also required to meet these standards.[14] Additionally,

[i]f a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associated contract or other arrangement [written agreement] with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.[15] (emphasis added).

These “contractual obligations” are set forth in a business associate agreement (BAA)[16] and/or other similar agreement.[17] Hence, the underlying compliance with HIPAA and other laws, such as the General Data Protection Regulation (GDPR), especially if a business associate is located outside of the United States,[18] is not optional and can translate into liability under a variety of SEC laws, rules, and regulations, including its recent final rule.[19] Additionally, the final rule provides significant focus on the importance and responsibility of disclosing “third-party” risks and incidents. “Third party” was referenced 39 times in the final rule. Some third parties are under contract, a BAA, for example, and have a lawful right to use and/or process the data providing the data is properly safeguarded. Other third parties do not have a contract in place, which prevents the lawful right to process. Any data transferred or shared with third parties, if the technical, administrative, and/or physical safeguards (with particular emphasis on the technical safeguards) are exploited, could result in a reportable breach under HIPAA, as well as a disclosure under the SEC laws, which have actually been in place before the final rule.[20] In other words, the best way to avoid liability on the back end[21] is to “play offensive” by cultivating a culture of compliance that emphasizes utilizing risk assessments/risk analyses to meet the required technical, administrative, and physical safeguards.[22]

Before delving into suggested cyber governance questions for boards and executives alike, one item that appeared in the March 2022 proposed rules, which does not appear in the final rule, is the requirement that “[c]ompanies will no longer need to say if their boards have cybersecurity experts under new rules from U.S. financial regulators, but that hasn’t diminished the importance of having them available, company directors say.”[23] Hence, underscoring another way for companies to mitigate risk and having boards be well equipped to handle their fiduciary duties and perform internal due diligence on companies in order to address the need for cybersecurity risk management.

Governance Issues

In re Caremark Int’l Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996), is a seminal case that addressed board fiduciary duties to exercise oversight and uphold their fiduciary duty of care. Under Caremark, directors may be held personally liable if they fail to implement appropriate information and reporting systems or, having done so, fail to adequately monitor and address potential risks or problems. Boards should consider what questions they need to be asking to ensure that the Caremark standard of care is being met in relation to cybersecurity risks and the management of those risks. Related issues to consider include the following: the organization’s indemnification policy and scope of insurance coverage for directors and officers and whether the board is promoting a culture of cybersecurity compliance, in addition to the executive team.[24]

With the adoption of the final rule, the legal liability landscape for cybersecurity has expanded. While not-for-profit or private organizations may be thinking “this does not apply to me,” the reach of potential federal enforcement, including by the Department of Health and Human Services and the SEC, to third parties, as well as those engaging in joint ventures, mergers, and/or acquisitions, can impact non-publicly traded companies as well.

Conclusion

The White House announced July 19, 2023 that the Office of the National Cyber Director is requesting comments on the harmonization of cybersecurity regulations.[25] We are long overdue for harmonization of common terms across state and federal requirements. Terminology varies, for example, in the context of incidents and the reporting timeframes from breach (HIPAA) to material cybersecurity incident (SEC) to substantial cyber incident (CIRCIA). Reporting timelines range from 60 days (HIPAA) to 72 hours (CMMC) to 24 hours in the case of ransom payments (CIRCIA).

These developments underscore how the health care sector should make cybersecurity compliance a priority in order to accurately assess an organization’s risk in relation to the probability or severity of a cybersecurity incident and the potential downstream reputational, financial, and legal consequences. Health care organizations are encouraged to work with counsel, cybersecurity, information technology vendors, and consultants to ensure that they are addressing the new requirements of the SEC final rule.

About the Authors

Rachel V. Rose, JD, MBA is an accomplished attorney who in 2012 established her own law firm, Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas), and began teaching bioethics at Baylor College of Medicine (Houston, Texas). In addition to representing clients in transactional, compliance, select government investigations, and litigation matters related to health care, cybersecurity, securities law, the False Claims Act, and Dodd-Frank, she has served as both a consultative and a testifying expert in a variety of cases. Ms. Rose is often quoted as an expert in a variety of publications, as well as a sought-after presenter and author of articles and books. www.rvrose.com.

Bob Chaput, NACD.DC, CISSP, HCISPP, CRISC, CIPP/US, C|EH, NACD CERT Cyber Risk Oversight is the author of “Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” He is the Founder and Executive Chairman of Clearwater, a leading provider of cybersecurity, risk management, and HIPAA compliance software, consulting, and managed services—exclusively for health care. He is an adjunct faculty member of Quinnipiac University’s School of Computing and Engineering, developing enterprise cyber risk management courses, an Institute of Advanced Network Security (IANS) Faculty Member, and an advisory board member of Kennesaw State Uinversity’s Institute of Cybersecurity Workforce Development.

 

[1] R.V. Rose, B. Chaput, Why ALL Health Care Organizations Must Care About SEC Proposed Cybersecurity Rule Changes, Health Law Weekly (Mar. 3, 2023), https://www.americanhealthlaw.org/content-library/health-law-weekly/article/632849de-772c-40e5-ad5c-1551ddf8d5ae/Why-ALL-Health-Care-Organizations-Must-Care-About.

[2] 87 Fed. Reg. 16590 (Mar. 23, 2022); SEC, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Mar.9, 2022), https://www.sec.gov/news/press-release/2022-39 (hereinafter, SEC Press Release).

[3] Gensler, Gary, Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affairs (Sept. 15, 2022), https://www.sec.gov/news/testimony/gensler-testimony-housing-urban-affairs-091522.

[4] SEC, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Jul. 26, 2023), https://www.sec.gov/news/press-release/2023-139; see also 87 Fed. Reg. 16590.

[5] SEC, FACT SHEET: Public Company Cybersecurity Disclosures; Final Rules, https://www.sec.gov/files/33-11216-fact-sheet.pdf (last accessed Jul. 29, 2023).

[6] SEC, Final Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, at  p. 117 (Jul. 26, 2023) (Federal Register publication pending), https://www.sec.gov/files/rules/final/2023/33-11216.pdf (internal citations omitted) (hereinafter, SEC Final Rule).

[7] Geiger, Harley L. Venerable LLP, Four Cybersecurity Law Issues for Financial Services to Track in 2023 (Feb. 16, 2023), https://www.venable.com/insights/publications/2023/02/four-cybersecurity-law-issues-for-financial-serv.

[8] Nick Wakeman, DOD, OMB expect September release of proposed CMMC rule, Wash. Tech. (July 25, 2003), https://washingtontechnology.com/contracts/2023/07/dod-omb-expect-september-release-proposed-cmmc-rule/388810/.

[9] SEC, Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 87 Fed. Reg. 16590 (Mar. 23, 2022), https://www.govinfo.gov/content/pkg/FR-2022-03-23/pdf/2022-05480.pdf.

[10] SEC Final Rule, supra note 6, at 117.

[11] NIST, https://www.nist.gov/about-nist (last visited Aug. 1, 2023).

[12] SEC Final Rule, supra note 6, at 117.

[13] 45 C.F.R. § 160.103.

[14] HHS, Covered Entities and Business Associates, https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html (last visited Aug. 1, 2023).

[15] Id.

[16] 45 C.F.R. § 164.504.

[17] See What is a GDPR data processing agreement?, https://gdpr.eu/what-is-data-processing-agreement/ (last visited Aug. 1, 2023).

[18] R.V. Rose, HIPAA Considerations When Business Associates and Data are International, NAMAS (Dec. 8, 2022), https://namas.co/hipaa-considerations-when-business-associates-and-data-are-international/.

[19] SEC, SEC Announces Three Actions Charging Deficient Cybersecurity Procedures (Aug. 30, 2021), https://www.sec.gov/news/press-release/2021-169.

[20] SEC Final Rule, supra note 6.

[21] A. Watkin-Child, T. Dziekanowski, R. Rose, U.S. and EU cybersecurity regulations enforces cybersecurity risk management ‘Left of Bang’ and into the financial statements of covered entities, The August Grp., https://augustagrp.com/left-of-bang-cyber-2-0 (last visited Aug. 1, 2023).

[22] R. V. Rose, March Madness! Protected health information cybersecurity frenzy, Physicians Practice (Mar. 23, 2023), https://www.physicianspractice.com/view/march-madness-protected-health-information-cybersecurity-frenzy.

[23] J. Rundle, Cyber Experience on Boards Still Seen as Critical in New SEC Rules, Wall St. J. (Jul. 27, 2023), https://www.wsj.com/articles/cyber-experience-on-boards-still-seen-as-critical-in-new-sec-rules-937702bd.

[24] See Top 5 Questions for Directors Re: Cyber Governance, Hosch & Morris, https://www.hoschmorris.com/privacy-plus-news/top-5-questions-for-directors-re-cyber-governance (last visited Aug. 1, 2023).

[25] The White House, Fact Sheet: Office of the National Cyber Director Requests Public Comment on Harmonizing Cybersecurity Regulations (Jul. 19, 2023), https://www.whitehouse.gov/oncd/briefing-room/2023/07/19/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-harmonizing-cybersecurity-regulations/.

ARTICLE TAGS