On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) issued updates to its interpretive guidance on how public companies should disclose cybersecurity breaches and risks.
There are two core messages at the heart of the SEC's most recent guidance, which builds upon topics not developed in the SEC's 2011 guidance on cybersecurity disclosure obligations. First, it states that it is "critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack."
Second, the guidance also stresses that firms must take steps to prevent executives and others with previous knowledge of a breach from trading in its securities before the information is made public.
The guidance cites the importance of maintaining disclosure controls and procedures for discerning the impact of cybersecurity risks and incidents on the company's business operations and financial condition. The guidance also recommends that such controls are best achieved when a company's directors and officers are involved in formulating and assessing them on an ongoing basis.
When assessing materiality of cybersecurity risks and incidents, companies should consider the potential harm to the company's reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions. The SEC acknowledges that it does not expect companies to disclose specific, technical information about their cybersecurity measures or potential systems vulnerabilities, but should disclose risks at a level that are material to investors, including the concomitant financial, legal or reputational consequences posed by such risks.
With respect to cybersecurity incidents in particular, the SEC acknowledges that a pending law enforcement investigation of an incident would shape the disclosure regarding the incident, but would not on its own provide a basis to withhold or avoid disclosure of a material cybersecurity incident. In addition, in the course of investigating a cybersecurity incident, the guidance provides that it may be necessary to "revisit or refresh" a previous disclosure if the company determines a prior disclosure was untrue at the time it was made (or omitted a material fact to make the disclosure not misleading).
The SEC reminds companies that it is illegal to trade a security on the basis of "material nonpublic information about that security or issuer" and that information about a company's cybersecurity risks and incidents may be material nonpublic information. In addition, the guidance recommends that companies consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information relating to cybersecurity risks and incidents.
The new guidance comes after one of the three major credit reporting agencies attracted massive scrutiny in Washington, D.C. and across the country for a breach that impacted over 145 million American consumers. The agency reportedly discovered the breach internally at the end of last July but did not publicly disclose it until September.