On February 21, 2018, the Securities and Exchange Commission issued an interpretive release1 providing important guidance to certain registrants on cybersecurity disclosure. Coming on the heels of dozens of high-profile cybersecurity breaches, the SEC’s guidance serves to impress upon registrants that the risks that cyber poses are “grave,” and that, accordingly, registrants must not only take appropriate precautions in advance, but they must also diligently inform investors about material cybersecurity risks and incidents in a timely fashion.
The release reiterates much of the SEC’s 2011 guidance2 but importantly expands on several key topics, including: (1) cybersecurity as part of required ongoing disclosure; (2) disclosure controls and procedures; (3) insider trading; and (4) selective disclosures. It emphasizes how crippling a cyberattack can be, involving substantial costs and other damaging consequences of material interest to investors.3
The SEC guidance applies to all companies required to file reports under the Securities Exchange Act of 1934 (1934 Act) or registration statements that refer to the disclosure requirements of Regulations S-K and S-X with the SEC, including issuers of insurance products that are registered on Forms S-1 and S-3.
Cybersecurity as required disclosure
The SEC guidance makes clear its view that material risks or incidents related to cybersecurity fall within a company’s ongoing obligation to disclose material information in current and periodic reports—and those reports cannot be mere generic statements.
Not all attacks warrant disclosure, and the SEC also acknowledged the reality of complex cyberattacks; namely, that it often takes a company time to identify a cybersecurity breach and discern its scope and severity. But, the guidance notes that the existence of an ongoing investigation would not alone provide a basis for avoiding “prompt” disclosure of a material cybersecurity breach.
The SEC also reiterated a familiar principle or rule of thumb to help companies decide whether to notify or to update previous disclosures. In addition to the information expressly required by Commission regulation, a company is required to disclose such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading. Citing TSC v. Northway, 426 U.S. 438 (1976), the Commission explained that it considers omitted information to be material if there is a “substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”
Of course, the SEC does not expect companies to disclose the keys to the castle such that further attacks become that much more likely, but they do expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.
On the topic of risks, the SEC guidance provides a list of issues that may merit risk factor disclosure, which includes:
- The occurrence of prior cybersecurity incidents.
- The probability of the occurrence and potential magnitude of cybersecurity incidents.
- The adequacy and associated costs of maintaining cybersecurity systems.
- Aspects of the company’s business that are uniquely exposed to cybersecurity breach.
- The potential for reputational harm.
- Litigation, regulatory investigation and remediation cost associated with a cybersecurity breach.
Cybersecurity disclosure controls and procedures
While many companies have retained IT professionals and outside consultants to assist in maintaining their cybersecurity systems, the SEC’s guidance reminds companies that the appropriate reporting channels must exist to support prompt disclosure of material events in SEC filings. The guidance points to the obligations of companies under the 1934 Act4 and reminds companies that even though their controls and procedures may not result in disclosure, sufficient channels for “up the ladder” reporting must exist to enable the company to satisfy its current reporting obligations. In order for the company’s principal executive and financial officers to make a materiality determination on a specific incident, they must be made aware in a timely manner and be informed as the scope and severity of the breach is discovered by the company’s cybersecurity professionals.
The SEC’s guidance reminds registrant’s principal executive and financial officers of their obligation to certify their company’s disclosure controls and procedures in periodic reports.5 The guidance states that these certifications should take into account “the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
The importance of adequate disclosure controls and procedures underlies the SEC’s point on the importance of timely disclosure of material information. Even before a breach occurs, the SEC may scrutinize a registrant for its lack of sufficient preparation to comply with its current reporting obligations. Given that cybersecurity continues to be a priority of SEC’s Office of Compliance Inspections and Examinations (OCIE) for regulatory examinations in 2018,6 registrants should expect regulatory inspections to look critically at their disclosure controls and procedures surrounding cybersecurity events.
Underlying the importance of prompt disclosure of material cybersecurity events is the goal of achieving a balance of information among securities market participants and fairness to investors. Dovetailing with the SEC’s emphasis on the importance of prompt and complete disclosure of cybersecurity incidents is the concern that insiders may be able to take advantage of an information disparity to profit on a cybersecurity breach. The SEC’s guidance notes that given the material nature of information about a cybersecurity incident, the company’s directors and officers with access to material nonpublic information (its “access persons”) would violate antifraud provisions of the securities laws if they trade in the company’s securities with knowledge of a cybersecurity breach before it is publicly disclosed. Similarly, as the scope and severity of a cybersecurity breach is revealed, access persons should be prohibited from trading in the company’s securities until such information is made public.
Taking the SEC’s guidance in context with the controversial timing of certain insider transactions around the time of a discovered cybersecurity breach,7 this point underscores the importance of effective disclosure controls and procedures and the timely release of material information. As companies review their disclosure controls and procedures, the SEC’s guidance may require companies to revisit their insider trading policies to ensure that trading in the company’s securities is restricted while access persons possess material information.
The SEC’s guidance concludes by reminding registrants that distributing information through concentrated channels does not suffice to satisfy its disclosure requirements. The guidance emphasizes a registrant’s obligations under Regulation FD to make full disclosure to the general public when disclosing nonpublic information regarding cybersecurity risks and incidents to securities brokers and dealers, investment companies and advisers and persons the company expects will trade in its securities. While it may seem a comfortable outlet to test news of a cybersecurity breach on analysts covering the company’s securities, the SEC’s guidance reminds registrants that it must make full disclosure of the same information to the general public.
The SEC’s guidance underscores a heightened focus on cybersecurity and serves as a reminder to registrants that cybersecurity is a top priority for the Commission. Indeed, it likely signals an increase in regulatory scrutiny of filings, inspections and enforcement actions as all SEC divisions, including OCIE, will use it as a guide for disclosure review and during examinations. The SEC’s guidance is consistent with the pressure being exerted on registrants to treat cybersecurity as a critical risk, and to ensure that such disclosure properly considers and addresses that risk. The SEC’s guidance highlights certain issues for registrants to pay closer attention to, and emphasizes the importance of complete and prompt disclosure of material cybersecurity events and the implementation of controls and procedures necessary to ensure such disclosure. But, the SEC’s guidance also acknowledges the complexity of cyberattacks and the difficulty in determining scope and severity; and it notes that disclosure should not be so detailed as to provide would-be-hackers with a roadmap through a company’s cybersecurity protections or unnecessarily interfere with law enforcement and ongoing investigations of a cybersecurity incident. Executives will have to work closely with their cybersecurity, legal and compliance professionals to find the appropriate balance for disclosure purposes.