Developments In The United States & Finland
III. International Securities, Capital Markets, and Cybersecurity: The United States, Europe, and Finland
In today’s digital age, and amidst heightened global tensions, the threat of cyberattacks looms large over businesses and organizations of all sizes. Finnish publicly listed companies are no exception, and they must be prepared to respond to these threats not only in terms of cybersecurity but also in terms of transparency and disclosure. A cyberattack can have far-reaching consequences, not just for the company but also for its shareholders and the broader financial market.
A cyberattack can take many forms, including data breaches, ransomware attacks, and other malicious activities that compromise a company’s digital assets and data. Cybersecurity threats are becoming more advanced, and with increasing geopolitical tensions, the risk of sophisticated cyberattacks by state actors—especially against critical service providers—is ever increasing. In 2017, state-sponsored cyberattacks utilizing malware called NotPetya caused an estimated $10 billion in damages to companies in Ukraine and abroad. It is essential for publicly listed companies to evaluate and assess their material cybersecurity risks and to recognize when they have experienced a cyberattack that qualifies as a disclosable event. Publicly listed companies are obliged to disclose material cybersecurity incidents if they constitute inside information stipulated in the EU Market Abuse Regulation. A serious cyberattack could have a significant impact on the price of the securities.
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules on cybersecurity incident disclosure by SEC registered companies. The new rules require U.S. registrants to disclose material cybersecurity incidents within four business days after the company determines that a cybersecurity incident is material. Foreign private issuers must furnish this disclosure promptly in the United States after the incident is disclosed or otherwise made public—or is required to be disclosed or otherwise made public—in the registrant’s jurisdiction of domicile. Disclosure must be provided to any stock exchange on which the registrant’s securities trade or to security holders. The rules also require publicly traded companies to disclose the following in their annual Form 10-K report and on Form 20-F for Nordic and other foreign private issuers:
- processes for assessing, identifying and managing material cybersecurity risks;
- material effects of risks from cybersecurity threats and past cybersecurity incidents; and
- the role of the board of directors and the management in overseeing and assessing cybersecurity risks.
In the United States, internal control failures regarding cybersecurity reporting may lead to consequences for the company and its management. On October 30, 2023, the SEC charged SolarWinds Corporation and its chief information security officer with fraud and internal control failures. SolarWinds Corporation was charged with misleading investors in its reporting of its cybersecurity practices and known risks from at least the company’s October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack. In a notable response to evolving regulations, a ransomware group, after launching a cyberattack on MediaLink Group and stealing customer data, claimed to have taken the unusual step of filing a complaint with the SEC when their ransom demand was not met. The complaint reportedly was made because MediaLink had not disclosed the incident within four days.
In contrast to the stringent regulatory environment of the United States, the Finnish system for managing and disclosing cybersecurity incidents adopts a more flexible and voluntary approach. The exception to this approach deals with companies operating in certain vital sectors identified in EU Directive 2016/1148 on measures for a common level of high network security and information systems across the Union (NIS1 Directive). Finnish publicly listed companies, while encouraged to maintain robust cybersecurity measures, are not bound by the same rigid disclosure obligations as their U.S. counterparts. The Finnish National Cybersecurity Centre (NCSC-FI) has issued guidance to companies for assessing and monitoring cybersecurity risks and measures, as well as for developing procedures for any cybersecurity incidents. Companies are advised to develop comprehensive procedures for managing cybersecurity incidents, but the implementation of these guidelines is largely at the discretion of the companies themselves. Major cybersecurity incidents that could affect the price of the issued financial instruments nevertheless fall under the disclosure obligations set out in Market Abuse Regulation (MAR).
The voluntary adoption of cyber risk management policies is a critical step in safeguarding companies against the escalating threat of cyberattacks. By proactively implementing robust cybersecurity measures, companies can significantly reduce their vulnerability to data breaches, financial losses, and reputational damage. These policies encompass a wide range of practices, including regular software updates, employee training, encryption, and incident response plans. When adopted willingly, they empower businesses to identify and address vulnerabilities, thereby minimizing the potential harm of cyberattacks. In a digital landscape where threats are ever-evolving, voluntary cyber risk management policies are a proactive and cost-effective approach to protect both sensitive data and an organization’s financial stability.
The implementation of EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), which replaced the NIS1 Directive, represents a significant shift in the cybersecurity landscape for Finnish companies. The NIS2 Directive expands its scope to include new sectors, covering and specifying obligations for a wider array of Finnish public and private companies. The member states have until October 18, 2024 to implement measures necessary to comply with the NIS2 Directive. As this EU-wide regulation expands its scope and enforces stricter security requirements, Finnish publicly listed companies—particularly those in critical sectors—will face enhanced obligations. The NIS2 Directive applies to entities falling into two categories: “essential” and “important.” Classification into these categories is not solely based on the size of the entity, but primarily on the criticality of the services provided. Essential entities exceed the threshold for medium sized enterprises and operate in sectors identified as highly critical, while important entities serve in less critical sectors. For many Finnish public companies, this means a transition from a primarily guidance-based approach to a more regulated environment, necessitating adjustments in their cybersecurity strategies and governance models to comply with these enhanced EU standards.
The NIS2 Directive also imposes new obligations on management bodies, requiring approval and oversight of cybersecurity risk management measures. These measures encompass information system security, supply chain security, cyber hygiene practices, incident handling, and business continuity, and crisis management. Entities must notify their competent authority of any incident that has a significant impact on the provision of their services. An incident is considered to be significant if it: (1) has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or (2) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Essential and important entities that become aware of a significant cybersecurity incident are required to submit an early warning to the authorities without undue delay—within twenty-four hours—which is to be followed by an incident notification within seventy-two hours and an intermediate report upon the request of the authorities. Other entities, regardless of whether they fall within the scope of the NIS2 Directive, may notify significant incidents, cyber threats, and near misses on a voluntary basis.
In the framework of the NIS2 Directive, supervisory authorities have the power to apply distinct regulatory oversight and enforcement actions to both essential and important entities. For example, they can temporarily revoke certifications or authorizations pertinent to the services provided by these entities in cases of non-compliance and can prohibit individuals responsible for discharging managerial responsibilities at the Chief Executive Officer (CEO) or legal representative level from exercising managerial functions until the entity addresses the deficiencies or complies with the requirements that prompted the suspension or prohibition. Financially, entities under the NIS2 Directive could face maximum administrative fines of up to ten million euros or two percent of their total worldwide annual consolidated turnover, whichever is higher, for essential entities, and up to seven million euros or 1.4 percent of the turnover, whichever is higher, for important entities.
While both the NIS2 Directive and the SEC’s new cybersecurity rules aim to enhance cybersecurity resilience and transparency, the NIS2 Directive focuses more on preparedness, cooperation, creating a security culture beneficial for long-term investor confidence, and market reliance across critical sectors in the EU. In contrast, the SEC rules are centered on timely disclosure of material cybersecurity incidents, detailed reporting on cybersecurity risk management, the explicit responsibilities of boards, and management in the United States, which aligns with investor interests in transparency and timely information in the U.S. market. Most crucially, the SEC regulations are applicable to every company registered with the SEC, while the NIS2 Directive is limited to publicly listed companies that are classified as either essential or important entities This categorization effectively excludes certain issuers from the obligations imposed by the NIS2 Directive. These differences reflect the distinct regulatory environments and priorities of the EU and the United States in addressing cybersecurity challenges, each with its own impact on investor perception, risk assessment, and confidence in the digital security of corporations.
The disclosure and reporting obligations of publicly listed companies in Finland and the United States in cybersecurity matters are critical for maintaining investor trust and market integrity. This analysis of the differing regulatory requirements in these two countries highlights the importance of transparency and timely communication in response to cyber threats. It also emphasizes the role of regulatory bodies, like the SEC in the United States, in shaping these requirements and the evolving nature of cybersecurity laws. The challenges companies face in navigating these complex regulations underscore the need for robust cybersecurity strategies and effective incident reporting. Ultimately, the ability of companies to comply effectively with these obligations is essential for protecting investor interests and ensuring the stability of financial markets in the digital age.