On February 21, 2018, the Securities and Exchange Commission (SEC) published interpretive guidance, titled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”(Release No. 33-10459), to assist public companies in preparing disclosures concerning cybersecurity risks and incidents. The interpretive release expands upon the SEC Division of Corporation Finance’s 2011 guidance on cybersecurity to emphasize the importance of going beyond generic disclosures to provide detailed information in connection with cybersecurity risks and incidents, as well as implementing comprehensive cybersecurity policies and procedures. The release emphasized several areas in particular, including board oversight, disclosure controls and procedures, insider trading and Regulation FD, each of which is described in greater detail below.
While the basic disclosure requirements for periodic and current reports and registration statements do not explicitly reference cybersecurity risks and incidents, the release highlights various rules that do impose an obligation to disclose such risks and incidents depending on a company’s particular circumstances and the materiality of that information. These include the disclosure requirements for risk factors, management’s discussion and analysis of financial condition and results of operations, description of the business, legal proceedings, financial statement disclosures, and risk oversight by the board of directors. The SEC has provided detailed considerations under each of these topics for evaluating the nature of the information that a company would be expected to disclose.
The guidance suggests that, in determining their disclosure obligations, “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” Materiality may depend on the “nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations” and the range of harm that the incidents could cause, including with respect to “a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”
The SEC recognizes the challenges in determining the timing for cybersecurity disclosures, because companies often require time to understand the scope of an incident and determine what disclosure is required. In addition, the release notes that companies are not required to include disclosures that would provide a “roadmap” for how to breach a company’s security protections, such as “technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” The release reminds companies to watch for situations in which they need to correct or update prior disclosure as additional information is learned.
Cybersecurity Policies and Procedures
Board Risk Oversight
The guidance references the existing requirement under Item 407(h) of Regulation S-K to disclose the board of directors’ role in the risk oversight of the company, and suggests specific discussion of the nature of its role in cyber risk management, especially if cybersecurity risks are material to the company’s business. The SEC indicates that disclosure regarding a company’s cybersecurity risk management program and how its board engages with management on cybersecurity issues allows investors to assess how a board is discharging its responsibilities in an area of increasing importance. The SEC’s call for more disclosure of the board’s involvement with cybersecurity issues may prompt companies to broaden or deepen the board’s engagement with these issues.
Disclosure Controls and Procedures
The release encourages companies to have comprehensive policies and disclosure controls and procedures that ensure senior management is promptly made aware of important cybersecurity issues to enable informed disclosure decisions regarding the substance of any issue and facilitate appropriate officer certifications and disclosure regarding the effectiveness of those controls and procedures. When designing and evaluating disclosure controls and procedures, the SEC suggests that they should “enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” In addition, a company should not limit its disclosure controls and procedures to only what is specifically required. It also should ensure timely collection and evaluation of information potentially subject to required disclosure.
Insider Trading and Regulation FD
The SEC reminds companies that cybersecurity risks and incidents may constitute material nonpublic information that triggers insider trading and Regulation FD considerations. Existing insider trading policies and Regulation FD policies should already include any type of material nonpublic information, including cybersecurity matters, but companies should consider highlighting this possibility through training, or adding cybersecurity incidents to lists of examples of potentially material information included in these policies. Those administering the policies also should be mindful of and establish processes to ensure they are aware of developing cybersecurity incidents when determining whether trading windows should be closed or specific trades should be approved. Even when there may have been no insider trading violation, companies may be subject to scrutiny if executives trade prior to disclosure of cyber incidents that develop into significant events. Along the same lines, companies need to be mindful of making selective disclosure of cybersecurity events to the persons enumerated under Regulation FD (namely, persons who are reasonably expected to trade on the basis of such information) before that information is announced publicly. Policies and procedures for addressing a cybersecurity event should alert those handling the situation to the need to maintain appropriate confidentiality until a public announcement is ready to be made.
Actions to Consider
Overall, the interpretive guidance highlights the SEC’s increased attention to disclosures related to cybersecurity and concerns that investors may not be fully informed about the growing risks with cybersecurity. Companies should review and consider refreshing the disclosures in their periodic reports and registration statements, taking into account the detailed considerations outlined in the guidance regarding cybersecurity and how the impact may be material to the information that must be presented. In addition, companies should evaluate policies and procedures to consider whether their board’s oversight of cybersecurity issues is in line with the risks faced by the company and whether information regarding such risks and incidents is appropriately developed and communicated to result in accurate and timely disclosure and avoid inadvertent insider trading and Regulation FD violations.