In February of this year, the Securities Exchange Commission issued its updated Statement and Guidance on Public Company Cybersecurity Disclosures. In April, the SEC issued an Order that, among other things, levied a $35 million fine against Yahoo! Inc. for failing to properly report a 2014 data breach. These actions support the view that the SEC is consciously committing attention and resources to cybersecurity issues affecting public companies.
Here are some key takeaways from both the Guidance and from the Yahoo! Order:
- Executive Level Involvement. Disclosure obligations apply to both risks (risk factors) and incidents (meeting the materiality threshold). This implies the active involvement of Chief Information Officers, Chief Technology Officers, Chief Information Security Officers, Data Protection Officers (CIOs, CTOs, CISOs, DPOs), etc. in assessing risks to the enterprise, and in determining the materiality of an incident. Yahoo knew that more than one hundred million individuals’ information had been compromised, but still delayed for two years publicly reporting the incident—hence, materiality was not in question. Google has thus far asserted that it has no evidence of access to or exfiltration of its users’ information, but no reports yet indicate that it has affirmatively eliminated that possibility.
- Policies & Procedures. The SEC stresses (more than once in the Guidance) the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents, pointing to the general obligation to have appropriate and effective disclosure controls and procedures.
- Timely Disclosures. Timing is important—although an internal investigation might warrant some delay, the SEC makes clear that companies should not use this as a reason to avoid disclosure altogether.
- Materiality Requires a Holistic Approach. From the Guidance: “The materiality of cybersecurity risks or incidents depends on their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” This materiality determination would appear to require analysis from numerous departments within an organization, assessing the incident from a number of angles. On the risk factor side, Yahoo noted in public filings following the breach incident that “[i]f our security measures are breached, our products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure.”
- Identify Risks, not Technical Vulnerabilities. From the Guidance: “We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” The SEC is not interested in how, but whether, risks and incidents are properly addressed. This should allay some confidentiality concerns associated with compliance.
- Accountability. From the Guidance: “A company must include a description of how the board administers its risk oversight function. To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk.” It seems that cybersecurity risks are material to nearly every company’s business today, whether involving exposure of third party data, access to company trade secrets, interference with production via an IoT vulnerability, etc. Consequently, most boards must evaluate the nature and scope of the company’s risk, and ascertain a mechanism by which the board can properly and effectively monitor that risk.
Obviously the SEC has its eye on the cybersecurity ball, and coordination among the Board, CEO, CFO, COO, and CIO/CTO/CISO/DPO is more important than ever in ensuring compliance with myriad disclosure requirements. Even for companies outside of industries directly subject to data security/privacy laws, regulations, and standards—e.g., healthcare (HIPAA), financial services (GLBA), retailers (PCI DSS and FTC Section 5)—efforts must be made to ensure that appropriate disclosure controls and procedures are adopted and implemented to avoid regulatory scrutiny and penalties.