Since the arrival of data breach notification obligations, public companies have needed to consider whether to provide public disclosure of a "material" cybersecurity risk or event. On February 21, 2018, the SEC issued new guidance on this question that emphasizes the importance of "timely disclosures" and of measures to prevent insider training based upon cyber-risks or incidents.1
The SEC Cybersecurity Guidance from Wall Street's top cop is nonbinding but instructive in understanding how the Commission may interpret alleged cybersecurity lapses, particularly with regard to enforcement actions in exercising its civil jurisdiction over public companies.
SEC Cybersecurity Guidance
The Cybersecurity Guidance issued on February 21, 2018 is a milestone in that it is the first time the SEC Commissioners collectively have addressed the relevance of cybersecurity issues in public company disclosures and policies. The SEC Cybersecurity Guidance reiterates the importance of (i) abiding by disclosure requirements and (ii) prohibiting insider trading, both areas of traditional SEC enforcement and attention.
As to materiality, the SEC Cybersecurity Guidance advises, "It is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack."
Under SEC requirements, public companies are required to disclose information that is material. Both statements of omission, as well as fraudulently commissioned statements, are actionable. Moreover, companies must update information if initial disclosures prove insufficient as to material information.
The SEC considers information material "if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available."
In weighing this critical question of the materiality of cybersecurity risks or incidents, the SEC Cybersecurity Guidance advises companies to consider:
- Nature, extent and potential magnitude of risk or incident
- Importance of compromised information
- Impact on company operations
- Range of harm to reputation, financial performance and customer and vendor relationships
- Potential for litigation, regulatory investigation and prosecution.
Of course, this does not mean that all cybersecurity incidents should be disclosed. Indeed, disclosure of a smaller cybersecurity incident may itself artificially affect stock price.
The SEC's assessment of the impact of cybersecurity risk on American markets provided the impetus for the SEC Cybersecurity Guidance. In assessing risk, the SEC Cybersecurity Guidance urges companies to consider the following issues:
- Prior cybersecurity incidents
- Probability of risk
- Potential magnitude of incident
- Preventive action and mitigation
- Industry-specific risks
- Costs of insurance, protection, litigation, regulation and remediation
- Reputational harm
- Legal exposure.
The SEC Cybersecurity Guidance regarding insider trading simply underscores the SEC's conviction that the antifraud provisions of the federal securities laws apply with equal force to cybersecurity incidents.
The SEC Cybersecurity Guidance urges companies to proactively issue or amend their corporate code of ethics, policies and procedures to definitively prohibit "trading on the basis of material nonpublic information related to cybersecurity risks and incidents." The SEC aims to (i) prohibit company insiders from taking advantage of cybersecurity incidents to trade manipulatively and (ii) encourage timely dissemination of critical information to the public.
SEC Cybersecurity Guidance on future disclosure requirements
No existing disclosure requirement definitively compels a public company to particularly describe cybersecurity risks, issues or events. However, the SEC Cybersecurity Guidance identifies a plethora of existing disclosure requirements which could require a public company to disclose a cybersecurity risk or incident.
The SEC catalogues these laws, regulations and forms2 by which companies might be required to report cybersecurity risks or incidents, with most relevant sections therein noted:
- Risk factors, updates to same
- Disclosure of all material facts
- Management's discussion and analysis ("MD&A")
- Financial condition, changes to same
- Business and operations, results of same
- Relationships with customers or suppliers
- Competitive conditions
- Corporate governance
- Board risk oversight
- Valuation and disclosure of controls and procedures, effectiveness of same
- Legal proceedings
In the event of a cybersecurity incident, the SEC will view favorably a law-abiding business environment. Establishing proper documentation, controls and training are first steps in establishing a compliant corporate culture.
SEC recent history of cybersecurity statements
Last week's SEC Cybersecurity Guidance did not issue in a vacuum. For months, various parts of the Commission including the Chair himself have sounded the alarm on cybersecurity issues.
The SEC established a unit to specialize in pursuing cybersecurity fraud in September 2017. The SEC filed four matters in the last six months alleging securities cyberfraud. In the Trump era, the SEC has devoted more attention to cybersecurity than any other topic, issuing statements regarding the dangers of cyber Ponzi schemes, celebrity endorsements and cryptocurrency, among at least a dozen recent pronouncements.
Two Commissioners took the unusual step of issuing separate statements to criticize the Commission for taking insufficient action to attack the securities problems created by cybersecurity risks and incidents. Commissioner Kara M. Stein asserted that corporations have failed to make "meaningful disclosure" when confronting cybersecurity risks and incidents. Commissioner Robert J. Jackson Jr. warned that the SEC Cybersecurity Guidance was a "first step toward defeating those who would use technology to threaten our economy."
Potential action items
In light of the SEC Cybersecurity Guidance, public companies may want to consider the following steps:
- Review your corporate disclosure forms, controls and procedures to include descriptions of material risks, corporate impact and oversight in the areas of cybersecurity.
- Ensure that SEC disclosure review is part of your incident response program.
- Amend your corporate policies to explicitly prohibit insiders from trading when they are aware of material, nonpublic information regarding cybersecurity incidents.
- Continue training your employees, officers and directors about cybersecurity risks and responsibilities and incorporate high-level elements of the SEC Cybersecurity Guidance in the training going forward.