On February 21, 2018 the SEC issued an interpretive release to provide further guidance on public company disclosures related to cybersecurity matters and to highlight insider trading and Regulation FD selective disclosure concerns in the context of cybersecurity risks and incidents. The release reinforces, but does not significantly expand the principles of the SEC’s October 2011 guidance.
The SEC did make clear that trading by insiders after a cybersecurity incident but before public disclosure of that incident will likely violate insider trading prohibitions and that Regulation FD may prohibit the selective disclosure of information about a cybersecurity incident to a covered person. The release encourages issuers to include cybersecurity matters in their policies and procedures, including disclosure controls and procedures, but does not go beyond existing regulations. Accordingly, there is not much new in the release. Although it was unanimously approved, two Commissioners issued separate statements expressing their disappointment that the release did not go further in light of ongoing risks of cybersecurity to capital markets and public companies. That said, the guidance is effective immediately and therefore may be most relevant to companies currently drafting annual reports on Form 10-K for the 2017 fiscal year, refreshing disclosure controls and procedures and updating ethics, Regulation FD and insider trading policies.
Reinforcement of Existing Disclosure Guidance
Generally. The release provides an overview of disclosure requirements and their general applicability in the cybersecurity context. The SEC reiterates the importance of public companies undertaking an assessment of the materiality of cybersecurity risks and incidents, with materiality depending on the nature, extent and potential magnitude of a cybersecurity risk or incident related to the particular company. The release makes clear that a public company need not “make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.”1 On the other hand, the SEC does expect that public companies will disclose the cybersecurity risks and incidents that are material to investors, which must include “the concomitant financial, legal, or reputational consequences.”
With respect to the timing of cybersecurity risk or incident disclosure, the release states that a company becoming aware of a material incident or risk must provide timely appropriate disclosure, and that could mean disclosure before all material facts are known and before related internal or external investigations are complete. The SEC reminds issuers of their duty to update disclosure and urges companies to consider whether previous disclosures need to be refreshed, including during the process of investigating an incident.
Finally, the SEC reminds companies to avoid generic, boilerplate disclosures relating to cyber risks and incidents.
Implicated Disclosure Rules. The release tracks the 2011 guidance, reviewing the various disclosure rules that may be implicated in disclosure of cybersecurity risks and incidents, including –
- Risk factors. Under Item 503(c) of Regulation S-K, companies may need to disclose risks associated with cybersecurity and cybersecurity incidents. The release provides a list of issues in evaluating the necessity and scope of cybersecurity risk factor disclosure.
- MD&A. Item 303 of Regulation S-K requires a discussion of events, trends or uncertainties reasonably likely to have a material effect on the company’s financial results or condition. The release reiterates the SEC’s expectation that public companies consider the impact of cyber incidents and risks on future financial results of the company as a whole and the impact on each reportable segment.
- Description of business. The release states that if cybersecurity incidents or risks materially affect a company’s products, services, customer/supplier relationships or competitive conditions, the company must provide that disclosure in the Regulation S-K Item 101 description of business.
- Legal proceedings. To the extent a company is involved in proceedings that relate to cybersecurity issues, Item 103 of Regulation S-K would require disclosure of such proceedings.
- Financial statement disclosures. In the release, the SEC makes the point that cyber incidents and resulting risks can give rise to financial statement disclosures including relating to expenses of cyber breach investigations and remediation, loss of revenue, impairment of assets and claims related to product recalls or replacements.
- Board risk oversight. As in the 2011 guidance, the SEC underscores the importance of disclosing how a board administers its risk oversight function as required by Item 407(h) of Regulation S-K and, to the extent material to a company’s business, the cybersecurity risks of the company.
Focus on Policies and Procedures
Disclosure Controls and Procedures. The release emphasizes the importance of including controls and procedures relating to evaluating cybersecurity risks and incidents on the company and its business, financial condition and results of operations, as well as including a protocol to determine the potential materiality of those risks and incidents. Companies are encouraged to assess whether existing disclosure controls and procedures are sufficient to ensure that relevant information about cyber risks and incidents is timely processed and reported to enable senior management to make disclosure decisions. In addition, the SEC underscored that the CEO and CFO certifications “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
Insider Trading Policies. The release reminds public companies that information about a company’s cybersecurity risks and incidents may be material nonpublic information requiring that company insiders abstain from trading until all material information about the risk or incident has been fully disclosed publicly. The SEC also encouraged public companies to “consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.”
Regulation FD. Finally, the release addresses the importance of public companies having policies and procedures in place to ensure that disclosures of material nonpublic information relating to cybersecurity risks and incidents are not made selectively to securities industry persons and shareholders who are covered by Regulation FD.
All public companies should evaluate their current disclosures to ensure that they are consistent with the disclosure guidance contained in the release. They should also consider implementing a readiness plan to ensure appropriate and timely disclosures in the event of a cyber incident. Issuers who have not refreshed disclosure controls and procedures or relevant policies to reflect cybersecurity risks and incidents specifically might do so in the context of a larger data security preparedness exercise or in connection with annual corporate governance reviews and assessments.