In a February 21 Release, the U.S. Securities and Exchange Commission (SEC) announced new interpretive guidance for public companies regarding cybersecurity risk and incident disclosures.
The interpretive guidance reviews existing cybersecurity disclosure regulations, and goes a step further to explain additional disclosures that might be necessary if a company experiences cybersecurity-related incidents or breaches. We believe that this new guidance signals a continuing interest by the SEC in further expanding cybersecurity awareness and compliance.
The new guidance (which expands on the 2011 statement from the SEC’s Division of Corporate Finance, which identified the cybersecurity risk—and consequence—disclosure obligations for public companies) introduces two new areas of focus which had not previously been addressed by the SEC, as follows:
1. Maintaining disclosure controls and public reporting procedures, so that timely and accurate assessments and disclosures can be assessed by senior management.
Specifically, the SEC’s guidance emphasized the need for companies to create internal mechanisms to report cyber risks and incidents to higher levels of management - “up the corporate ladder” - so that senior management can promptly determine the timing and scope of appropriate disclosures. The SEC recognizes that requiring prompt and meaningful disclosure in current and periodic reporting (as set out in prior guidance) in turn requires that senior management be made aware of risks and incidents in order to assure adequate public information and timely file or publish disclosures.
2. Restrictions and procedures to prevent insider trading as it relates to cybersecurity incidents.
The second new topic, insider trading, presents altogether new guidance with respect to cybersecurity. The overarching concern is that insiders not trade in the company’s securities following a cyber breach until the event has been fully disclosed – this would seem intuitive for public companies. The second insider trading concern is less obvious and addresses the timing of disclosure: there should be no trading during the period in which the company is assessing whether the risk or incident is material to the company. The guidance states that companies “would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.” Based on this guidance, insiders should refrain from trading following an incident (or revelation of risk) even if the determination of materiality of the risk or event is not complete.
What should public companies consider doing now?
Following this new interpretive guidance, public companies may want to:
- create controls and procedures that are designed to timely share risk and incident information with senior management and the board of directors, and
- review and modify existing trading policies to reflect restrictions on trading during any assessment period and during any period prior to disclosure of material cybersecurity risks or incidents.
As always, companies may want to discuss with their attorney and data security professional steps to periodically review and adjust cyber readiness and response plans as well as their cyber insurance needs.