In two steps that appear to indicate renewed, if not intensified, scrutiny of public companies’ cybersecurity practices by the Securities and Exchange Commission (SEC), the SEC’s five commissioners unanimously issued guidance (the “Guidance”) on February 21, 2018, covering a range of cybersecurity topics, including disclosure obligations, board oversight, and risk management controls. While the Commission issued the Guidance unanimously, it is important to note that two of the commissioners have released public statements expressing reserved support for the Guidance, but noting that it in large part recapitulates guidance regarding cybersecurity disclosure already presented in 2011 by the SEC’s Division of Corporation Finance.
Public companies should closely review the Guidance for the additional details it provides regarding key disclosure obligations.
Disclosures regarding cybersecurity threats and practices should be integrated throughout a company’s periodic reports, including the Risk Factors, Management’s Discussion & Analysis, Description of Business, Legal Proceedings, and Financial Statements Disclosures sections. “Companies should avoid generic cybersecurityrelated disclosures and provide specific information that is useful to investors.” The Guidance also advised public companies to consider disclosure regarding the nature of Board oversight of the management of risks relating to cybersecurity matters.
While companies are not required to make specific technical disclosures that would compromise their security efforts and while the SEC recognizes that additional details may come to light in the course of ongoing security investigations, companies should make every effort to provide timely disclosures with the information at their disposal so that the public can make informed investment decisions.
The Guidance also touches upon two areas not previously discussed by the SEC:
Companies are encouraged to adopt, implement, and regularly update comprehensive cybersecurity risk management policies. Importantly, these policies should specify disclosure controls and procedures that ensure that relevant information regarding cybersecurity threats and developments are channeled to the right personnel, for purposes of both assessing risk and determining disclosures obligations. There should, in particular, be a free flow of information up the corporate ladder to senior management.
Information about cybersecurity risks and practices may be material nonpublic information, and, therefore, companies should be mindful of applicable insider trading laws when drafting codes of conduct, designing trading black-out periods, and otherwise implementing executive trading policies.
Following up on its Guidance, on April 24, 2018, the SEC settled an enforcement action against Altaba (f/k/a Yahoo!) Inc. In that settlement, Altaba agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches. Per the SEC, Yahoo’s information security team became aware of the December 2014 data breach and informed Yahoo’s senior management and legal department of the breach within days, but made no public disclosure for more than two years.
According to the SEC’s settlement order: (1) Yahoo failed to disclose the breach or its potential business impact and legal implications in SEC filings during the two-year period following the breach; (2) Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings; and (3) Yahoo failed to maintain proper disclosure controls and procedures.
In the press release announcing the settlement, the SEC staff provided insightful guidance regarding cybersecurity disclosure and SEC enforcement, with Steven Peikin, Co-Director of the SEC Enforcement Division, stating – “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
In light of the Guidance and recent enforcement action, companies are advised to:
- make cybersecurity training and compliance a priority company-wide;
- review their existing periodic filing disclosures for completeness and timeliness;
- confirm that existing policies and practices call for appropriate and timely notification to appropriate senior leaders;
- ensure that auditors and outside counsel are informed of breaches in order to assess the company’s disclosure obligations in its public filings;
- review their disclosure controls and procedures; and
- update their insider trading policies as necessary to expressly contemplate cybersecurity risks as potentially material nonpublic information.