On February 21, the Securities and Exchange Commission (the “SEC” or the “Commission”) issued the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (the “2018 Guidance”). This is the first time since the SEC issued CF Disclosure Guidance: Topic No. 2 in October 2011 that the Commission has provided substantive guidance on companies’ disclosure obligations with respect to cybersecurity risks and cyber incidents. The 2018 Guidance goes beyond the 2011 guidance in two substantive ways: first, it stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents, and second, it discusses the application of insider trading prohibitions in the cybersecurity context. Below, we outline four key takeaways from the 2018 Guidance.
1. Companies should review their risk assessment and mitigation and disclosure controls processes and procedures.
- The 2018 Guidance encourages companies to consider providing disclosures on their cybersecurity risk management program, including how the board of directors performs its oversight role with respect to cyber matters.
- Controls and procedures should ensure timely collection and evaluation not only of information that clearly must be disclosed, but also of information (including information regarding cybersecurity risks and incidents) that may potentially be subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.
- Disclosure controls and procedures should enable a company to (i) identify and evaluate the significance of cybersecurity risks and incidents; (ii) assess and analyze the impact of those risks and incidents on the company’s business; (iii) provide for open communications between technical experts and disclosure advisors; and (iv) make timely disclosures regarding such risks and incidents.
- CEO/CFO certifications speak to the design and effectiveness of disclosure controls and procedures, and companies should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact when making such certifications.
What to do next? Companies may want to review their disclosure controls in light of identified cybersecurity risks. If a company uses sub-certifications, it should consider adding one that speaks to the controls and procedures for identifying cybersecurity risks and incidents. Companies with robust cybersecurity risk management programs may want to consider providing high-level disclosure on their corporate websites or in their proxy statement or annual report. Companies should also consider whether to include cybersecurity risks in their disclosures on the board’s oversight of risk.
2. Existing disclosure requirements should be used to provide timely information on material cybersecurity risks and incidents.
- MD&A. In Management’s Discussion & Analysis (“MD&A”), the company’s analysis should be informed by (i) the cost of ongoing cybersecurity efforts (including enhancements to existing efforts); (ii) the costs and other consequences of cybersecurity incidents; and (iii) the risks of potential cybersecurity incidents.
- Description of business. With respect to a company’s description of its business, the company must provide appropriate disclosure if cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions.
- Legal proceedings. If a company experiences a cybersecurity incident involving, for example, the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation.
- Financial statements. The Commission expects companies’ financial reporting and control systems to be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into the financial statements on a timely basis as the information becomes available.
- Risk factors. The Commission acknowledges in the 2018 Guidance that following the issuance of the 2011 guidance, many companies have disclosed cybersecurity risk factors. However, the 2018 Guidance encourages companies, in drafting such risk factors, to consider: (i) the occurrence of prior cybersecurity incidents; (ii) the probability and potential magnitude of cybersecurity incidents; (iii) the adequacy and limitations of mitigation efforts; (iv) business and industry specific cybersecurity risks; (v) costs associated with cybersecurity protections; (vi) potential for reputational harm; (vii) the effect of current or pending cyber-related legislation; and (viii) other costs associated with cybersecurity incidents. Prior material company incidents should almost always be addressed in the risk factors, and incidents involving suppliers, customers, competitors and others may be relevant and should be considered.
What to do next? One of the key takeaways from the 2018 Guidance is that companies should be thinking about cyber-related disclosure more broadly. While a risk factor on cybersecurity matters may have been adequate in 2012, it may not be perceived as adequate in 2018 or 2019. Companies should consider having counsel with cybersecurity disclosure expertise review their disclosures, including, but not limited to, MD&A.
3. Companies should remember their broader disclosure obligations under Regulation FD. The 2018 Guidance also reminds companies that in addition to the information expressly required by Commission regulation, a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.”
- In order to maintain the accuracy and completeness of registration statements, companies should consider using current reports on Forms 8-K to disclose relevant material cybersecurity matters.
- The Commission does state that companies should not feel pressured to make detailed disclosures that could compromise cybersecurity efforts, but the Commission expects companies to timely disclose cybersecurity risks and incidents that are material to investors, including the associated financial, legal and reputational consequences.
- The Commission warns that a lengthy internal or external investigation alone will not be an adequate basis for avoiding disclosure.
What to do next? The response plans and protocols companies adopt for cybersecurity incidents and other crises should address SEC reporting obligations, and the individuals charged with oversight of cybersecurity matters should understand their responsibilities to report matters timely to the persons responsible for approving SEC filings.
4. Companies should review their insider trading policies and codes of ethics.
- The 2018 Guidance encourages companies to consider how information regarding cybersecurity risks and incidents may be material nonpublic information.
- Directors, officers and other corporate insiders would violate antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of such material nonpublic information.
What to do next? Companies should consider how their codes of ethics and insider trading policies are implicated by cybersecurity risks and incidents, and should include in their incident response plans the ability to halt trading by insiders in the event of an incident.