In the wake of recent notable data breaches, the United States Securities and Exchange Commission issued an interpretive release designed to improve the timeliness and accuracy of public companies’ disclosures of cybersecurity risks and incidents and prevent insider trading. An “incident” for purposes of the guidance is a broader term than “breach,” and includes an “occurrence that actually or potentially results in adverse consequences to” a company’s information system. The SEC’s guidance release and this post raise several issues and concerns that all companies, regardless of size and ownership, need to take seriously to improve their cybersecurity planning and legal compliance.
The SEC’s Guidance
Disclosing Cybersecurity Risks and Incidents
The SEC’s recent guidance follows up on 2011 guidance from the Division of Corporation Finance that acknowledged that while federal securities disclosure requirements do not explicitly refer to cybersecurity risks and incidents, companies may be obligated to disclose them. Many companies responded to that guidance by including additional cybersecurity disclosures in their reporting, primarily in the form of risk factors. The SEC’s recent guidance “reinforces and expands” on the 2011 guidance by providing more detail as to the form, breadth, and timing of those disclosures.
In terms of form, the guidance refers to a number of disclosure requirements that may obligate a company to disclose cybersecurity risks and incidents “depending on a company’s particular circumstances,” including periodic reports such as a Form 10-K, registration statements, and current reports such as a Form 8-K or Form 6-K. A company’s obligation to disclose and the information required to be disclosed is assessed under the materiality standard. Companies are to weigh “the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” A company’s materiality analysis is a fact-dependent one that depends upon the “nature, extent, and potential magnitude” of the risk or incident, particularly as it relates the level of sensitivity and scope of the information compromised.
Companies should also look to the range of harm that flows from the incident, including reputational and financial performance harm, damage to relationships with customers and vendors, and the risk of both civil litigation and government regulatory enforcement against the company. Importantly, the SEC notes that companies must provide sufficient detailed information about risks and incidents to investors and must avoid generic, boilerplate language. That said, the SEC clarifies that it does not intend for a company’s disclosures to “compromise its cybersecurity efforts” by providing “specific, technical information about [its]” systems, networks and devices, and potential vulnerabilities that would provide hackers or others with a “roadmap” for an attack.
Maintaining More Robust Cybersecurity Policies and Procedures and Precautions Against Insider Trading
Breaking new ground, the SEC’s guidance specifically encourages companies “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly.” While these should include specific disclosure controls and procedures related to cybersecurity disclosure, the guidance speaks in much broader and holistic terms, encouraging companies to adopt a comprehensive plan to ensure that they are managing their enterprise-wide cybersecurity risks. This plan should include controls and procedures that enable companies to identify their risks and vulnerabilities, assess and evaluate their business impact and significance, allow for necessary communications between technical experts and disclosure advisors, advising company decision-makers (including the board), and make timely and accurate disclosures. Ultimately, the goal is for companies to be more proactive in addressing today’s threat landscape and properly advising their investors and the public of risks and incidents in a timely fashion.
Also new in the SEC guidance is specific direction that public companies must abide by insider trading prohibitions in the cybersecurity context. As the guidance notes: “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.” To guard against this, companies should adopt and maintain policies and procedures to guard against an individual taking advantage of material nonpublic information known about a breach or incident to trade the company’s securities before the public is notified. Not only will such measures mitigate the legal risks associated with insider trading, but they will also guard against the risk of reputational harm that has been associated with recent breaches.
The SEC’s guidance is just the latest indication that government regulators want companies to improve both their overall cybersecurity and incident response and notification procedures. Public and private companies should use this as an opportunity to assess their current systems and procedures to ensure that they are addressing cybersecurity risks and that they are ready to respond to security incidents and timely provide the required notifications and disclosures. Public companies should also examine and, if necessary, update their insider trading policies to account for the guidance’s express prohibitions.