The SEC's new guidance on public company cybersecurity disclosures and Chairman Clayton's accompanying statement emphasize the SEC's expectations that public companies: (i) implement comprehensive cybersecurity policies that allow them to make accurate and timely disclosure of material cybersecurity risks and events; and (ii) prohibit insider trading based on selective disclosure of cyber risks or incidents.
The SEC makes clear that companies were required under prior guidance to report cybersecurity risks under existing federal securities reporting laws, including in Form 10-K annual reports and Form 10-Q quarterly reports. The SEC encourages companies to evaluate materiality and cybersecurity risk by examining prior cybersecurity incidents, the probability of recurrence, adequacy of preventative actions, additional protection costs, and the potential for reputational harm. The SEC cautions that "companies may need to disclose previous or ongoing cybersecurity incidents" to place discussions of these risks in an appropriate context.
Policies and Procedures
The SEC encourages companies "to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure." The SEC notes that such controls "should … ensure timely collection and evaluation of information potentially subject to required disclosure" to allow companies to identify potential risks.
The SEC advises that "information about a company's cybersecurity risks and incidents may be material nonpublic information," and insiders violate antifraud provisions if they trade securities while in possession of that material nonpublic information. The SEC also directs companies to create policies to prevent insider trading on all types of nonpublic information, including cybersecurity information.
Criticism from Commissioners Jackson and Stein
Shortly after Chairman Clayton announced the new guidance, Commissioners Robert Jackson, Jr. and Kara Stein suggested in statements that the SEC should have done more, such as mandating disclosures within a particular time frame.
The SEC has provided helpful guidance for public companies on cybersecurity-related policies and procedures. Most importantly, the SEC emphasizes the need to integrate cybersecurity-related risks and events into a company's existing disclosure controls and procedures. To that end, it places a premium on close coordination and communication between a public company's disclosure controls and procedures team and IT personnel. It will be critical going forward for companies to ensure they elevate discussions around potential cybersecurity-related disclosures to the right level and appropriate groups within the company. The guidance also highlights the need for public companies to ensure their insider trading policies identify and protect against cybersecurity risks, which it notes can be material non-public information. This Guidance and other SEC statements demonstrate that cybersecurity will be an area of emphasis for the agency going forward.