The U.S. Securities and Exchange Commission on Feb. 21, 2018, issued interpretive guidance on public company cybersecurity disclosures.
The new guidance will affect public companies and companies seeking to go public in three key areas:
- Disclosure in periodic reports and registration statements
- Maintenance of disclosure controls and public reporting processes
- Impact on insider trading procedures
Cybersecurity has been an area of focus by the SEC for several years. The most recent formal statement from the SEC was provided by the Division of Corporation Finance in 2011. That guidance stressed the obligation for reporting companies to make appropriate disclosures regarding the risk of cybersecurity events, and in particular the consequences of any events that have occurred.
Recent commentary by senior officials indicate that cybersecurity matters have become an area of increased focus for the SEC. For example, in September 2017, SEC Chairman Jay Clayton issued a statement highlighting the importance of cybersecurity to the agency and market participants and detailing the agency’s approach to cybersecurity as an organization and as a regulatory body.1 We believe that the release of the new guidance indicates that cybersecurity will be an area of increased focus by the SEC in its review of periodic reports and registration statements.
The new guidance does not create specific new disclosure obligations and largely covers the same disclosure topics as the prior guidance, offering similar recommendations. However, the fact that the SEC issued this guidance suggests this will be an area of increased focus. In addition, the new guidance notes that it addresses two topics not covered in the prior guidance: maintenance of effective disclosure controls and procedures (DCPs)2 to enable accurate and timely disclosure of material cybersecurity events and insider trading implications of the occurrence of cybersecurity events.
While the prior guidance focused on the need to address the risks and costs of cybersecurity considerations, the focus was largely on disclosure required after a cybersecurity event occurred. For example, it noted that discussion in a risk factor to the effect that a cyberattack may occur would likely be insufficient disclosure for a company that had experienced a material cyberattack. In such a case, to put the risk discussion in appropriate context, the SEC believed that the company would likely need to refer to the prior event so that investors could appreciate the nature of the risk faced.
The new guidance continues to address the need to provide appropriate context for cybersecurity disclosures by including descriptions of known events. However, it devotes equal attention to the need to discuss the cybersecurity threats and the consequences of cybersecurity compliance. For instance, it refers to consideration of such disclosures as:
- Probability of occurrence and potential magnitude of cybersecurity incidents
- Adequacy of preventative actions taken and limits on the company’s ability to mitigate cybersecurity risks
- Costs associated with maintaining cybersecurity protections
- Potential for reputational harm
- Existing or pending laws regarding cybersecurity matters to which the company is subject
- Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents
The new guidance also refers to the potential obligation to discuss cybersecurity concerns as part of the disclosure of the board of director’s role in risk oversight.3 The SEC states that to the extent that cybersecurity risks are material to a company’s business, this risk oversight disclosure should include the nature of the board’s role in overseeing management of cybersecurity risk.
While the occurrence of a cybersecurity incident does not trigger a mandatory filing of a current report on Form 8-K, the new guidance encourages companies to voluntarily report cybersecurity matters promptly on a voluntary Form 8-K filing. This would be of particular relevance to companies with shelf registration statements on file and in use.
The first of the two “new” topics addressed in the new guidance, maintaining effective DCPs, was already covered in the prior guidance, but the focus was on the risk of these controls being compromised by an event. The new guidance addresses DCPs from a different angle. It stresses the need for DCPs that will allow information about cybersecurity risks and incidents to be processed on a timely basis and, as necessary, reported “up the corporate ladder” so that senior management can make timely decisions regarding required disclosure. Although the new guidance acknowledges that for a variety of factors, such as cooperation with law enforcement, timely disclosure does not necessarily mean immediate disclosure, the guidance counsels companies to assess their DCPs to ensure that information about potentially serious events will be brought to the attention of senior management for disclosure consideration.
The second new topic, insider trading, was not addressed in the prior guidance. The obvious concern in this regard is that insiders of a company that has sustained a material cyber event refrain from trading in the company’s securities until that event has been disclosed. The more nuanced concern is related to the potential gap between when a company experiences an event and when it determines that the event has had, or is likely to have, a material effect on the company. The new guidance states that companies “would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
Public companies and companies preparing to go public will be well advised to evaluate their cybersecurity disclosures with the new guidance in mind. Further, companies will want to reassess their disclosure controls to ensure that material and potentially material cybersecurity matters are brought to the attention of senior management so that timely disclosure decisions can be made.