Recently, the Securities and Exchange Commission (the “SEC”) unanimously approved new guidance on public companies' disclosure obligations regarding cybersecurity risks and incidents. The SEC's Statement and Guidance on Public Company Cybersecurity Disclosures (the “New Guidance”) discusses the importance of cybersecurity-related disclosure in the context of current reporting obligations, presenting specific guidance on topics for inclusion in public disclosure. In addition, the New Guidance focuses on two aspects of cybersecurity not addressed in prior SEC staff guidance on the topic: (1) the vital importance of enacting and maintaining cybersecurity risk management policies and procedures, including disclosure controls, and (2) the relationship between cybersecurity risk and compliance with insider trading prohibitions.
The issue of cybersecurity disclosure was previously addressed by the SEC’s Division of Corporation Finance, which released guidance in October 2011 indicating that public companies had an obligation to include cyber risks in their disclosure. However, the increase in the scope and frequency of data breaches that has occurred in the intervening years has not been met with a corresponding trend toward addressing cybersecurity risks and incidents in public company disclosure. The New Guidance notes that while cybersecurity disclosure has increased since 2011, only 38% of U.S. public companies included cybersecurity-related risk factors in their SEC filings as of October 2017. Thus, as SEC Chairman Jay Clayton has stated, the New Guidance reflects the hope that "providing the [SEC]’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors."
General Disclosure Requirements and the Materiality Standard
The New Guidance notes that current disclosure requirements “do not specifically refer to cybersecurity risks and incidents.” Rather, companies have an “obligation to disclose such risks and incidents” that derives from other independent disclosure requirements, such as the Risk Factors and Management’s Discussion and Analysis (“MD&A”) sections required for inclusion in a reporting company’s registration statements under the Securities Act of 1933 and the Securities Exchange Act of 1934 (the “1934 Act”) and periodic reports under the 1934 Act.
Specifically, companies must disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” This materiality standard is fact-specific and should be tailored to a company’s particular cybersecurity risks and incidents. As the New Guidance notes, “materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.”
Note that the New Guidance does not require companies to make “detailed disclosures that could compromise its cybersecurity efforts—for example, by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections,” such as technical information about cybersecurity systems. Instead, companies should weigh a number of factors in determining whether a particular risk or incident should be considered material, particularly “the range of harm that [cybersecurity] incidents could cause…to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory actions.”
Specific Guidance on Public Company Cybersecurity Disclosure
The New Guidance provides insight on important cybersecurity concerns that may be relevant for specific aspects of a public company’s SEC disclosure. In the context of the MD&A, for example, the costs of ongoing cybersecurity efforts, and the impact of cybersecurity incidents or potential incidents, should be considered when analyzing a company’s financial condition or liquidity. Cybersecurity incidents or risks that have a material impact on a company’s products, services, business relationships or competitive conditions should be included in the Description of the Business disclosure and any proceedings relating to cybersecurity issues should be addressed in the Legal Proceedings disclosure. Also, a company’s financial statement disclosure should reflect information about the impact of cybersecurity events, including increased financing costs, loss of revenue, claims, and investigation and remediation costs.
The New Guidance also identifies several specific points for inclusion as risk factors that public companies should consider in crafting their cybersecurity disclosure. These areas include:
- The occurrence of discrete cybersecurity incidents, “including their severity and frequency;”
- The probability and “potential magnitude” of future incidents;
- The adequacy of preventative actions taken to reduce cybersecurity risks and associated costs;
- Aspects of the company’s business that influence the potential risk of cybersecurity incidents, “including industry-specific risks and third party supplier and service provider risks;”
- The costs associated with maintaining cybersecurity policies and procedures, including insurance costs;
- Existing or pending laws or regulations that may affect a company’s cybersecurity obligations;
- The “potential for reputational harm” caused by cybersecurity incidents; and
- Any litigation, regulatory investigation, and/or remediation costs associated with cybersecurity incidents.
Cybersecurity Risk Management and Insider Trading Policies
In addition to clarifying the disclosure requirements with respect to cybersecurity issues, the New Guidance identifies two additional areas of concern that public companies should consider in the context of cybersecurity and related disclosure.
First, public companies must design and maintain policies and procedures to help manage cybersecurity risks and respond to incidents as they occur. Importantly, such policies must include “appropriate disclosure controls and procedures” that facilitate timely communication of material events to management, including through an “up the corporate ladder” approach, and thereby ensure timely public disclosure. The New Guidance also points to a company’s board of directors as having a crucial role in risk management and oversight. As such, it is vital that directors understand the extent and nature of cybersecurity risk and receive regular updates on cybersecurity matters so that they are able to properly administer and assess these policies and procedures. This means that cybersecurity polices “should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s business.” Thus, under the New Guidance, appropriate cybersecurity policies should help companies “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents."
Second, public companies should consider adopting insider trading policies that specifically prohibit management and other corporate insiders from trading on the basis of material non-public information regarding a cybersecurity risk or incident. As the New Guidance notes, “information about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”
Once a company has become aware of a material risk or cybersecurity event, the New Guidance indicates, it is expected to “make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.” The New Guidance suggests enacting appropriate procedural safeguards to ensure that insider trading does not occur while cybersecurity events are being investigated, or before they are publicly disclosed. To that end, event-specific blackout periods would serve as an effective prophylactic measure against illegal trading, while also avoiding the appearance of improper conduct following the event.