On April 2, 2013, the U.S. Securities and Exchange Commission (SEC) issued new guidance endorsing companies' use of social media to disclose information to investors – with certain caveats. The SEC's social media guidance was prompted by its investigation of the personal Facebook posting by the CEO of Netflix regarding material company information.

The SEC observed that personal social media sites of employees would not typically be viewed as channels for disseminating material corporate information. However, in keeping with its 2008 Regulation FD (Reg FD) disclosure guidance, the SEC concluded that social media channels may be appropriate vehicles for corporate communications of material and previously non-public information to investors, so long as companies take steps to ensure that investors know where to find this information. The SEC's social media guidance creates new issues for directors and officers to consider with respect to potential securities law violations and cyber liability.

Regulation FD

Reg FD, set forth at 17 C.F.R. § 243.100, and section 13(a) of the Securities Exchange Act of 1934 generally prohibit public companies from selectively disclosing material, non-public information to securities broker-dealers, other Wall Street professionals, institutional investors or other select shareholders before it is made available to the general public. Reg FD was designed to curb insider trading of a company's stock based on such non-public information.

2008 Disclosure Guidance

With the advent of the Internet, the SEC recognized that companies were increasingly using electronic means to disseminate material information to investors, including the use of corporate websites, blogs and RSS feeds to communicate with shareholders. So on August 7, 2008, the SEC issued updated disclosure guidance on the use of company websites to broadly disseminate previously non-public information to the market.

As reflected in its 2008 disclosure guidance, the SEC provided a sample list of factors to consider in evaluating whether a company's website is a widely recognized channel of distribution for material corporate information, including:

  • Whether the company has made investors and the market aware that it will post important information on its website
  • Whether the company has a pattern or practice of posting such information on its website
  • The extent to which information posted on the website is regularly picked up by the market and media
  • Whether the company keeps its website current and accurate.

However, in light of radical developments in technology over the past few years, the SEC's 2008 guidance did not specifically address corporate use of new forms of social media such as Facebook or Twitter.

Netflix CEO’s Facebook Page

Last summer, the SEC launched an investigation when the CEO of Netflix posted a message on his personal Facebook page announcing that the company’s “monthly viewing exceeded one billion hours for the first time ever” – which represented a nearly 50 percent increase in streaming hours. The SEC observed that this material information, which Netflix had not previously disclosed to investors, caused a surge in the company's stock price following the CEO's Facebook posting and was picked up by stock analysts and numerous media sources. The SEC noted that the public would not ordinarily assume that an employee's personal social media site was a designated corporate platform for reporting material, non-public information to investors. While the SEC declined to institute an enforcement action against Netflix or its CEO, the SEC acknowledged companies' confusion regarding the application of Reg FD to social media.

2013 Social Media Guidance

On April 2, 2013, the SEC issued new social media guidance intended to clarify the application of Reg FD and prior 2008 disclosure guidance to public companies' use of social media.

As reflected in the SEC's new guidance:

  • Reg FD disclosure rules prohibiting selective disclosure of material, non-public information apply equally to social media and other more traditional means of corporate communications such as press releases and SEC filings.
  • To the extent a company intends to rely on social media channels to disseminate material information, the company must alert investors to this fact:

“We emphasize for issuers that the steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, non-public information, including the social media channels that may be used and the types of information that may be disclosed through these channels, are critical to the fair and efficient disclosure of information. Without such notice, the investing public would be forced to keep pace with a changing and expanding universe of potential disclosure channels, a virtually impossible task.”

In short, the SEC's 2008 disclosure guidance applies to the use of social media and other electronic means for distributing material corporate information – not just company websites. If a company intends to rely on Facebook, Twitter or other social media platforms to communicate with investors, it had better let the investors know in advance.

2011 Cybersecurity Guidance

The SEC's growing interest in cyber-related issues is also evident in separate cybersecurity guidance issued by the agency in October 2011. Recognizing that companies have growing exposure to cyber attacks that could compromise business operations, financial assets, intellectual property, customer data and other sensitive information, the SEC has encouraged companies to disclose any material cyber risks that could impact investors.

Regulation S-K Item 503(c) sets forth general requirements for risk-factor disclosures by companies, including a discussion of the most significant factors that may make an investment in the company “speculative or risky.” Common risk factors may include a company's lack of an operating history, lack of profitable operations, financial position, business prospects or lack of market for the company's securities.

The SEC's cybersecurity guidance notes that companies that fall prey to cyber attacks may suffer significant costs and adverse consequences such as remediation costs, increased cybersecurity protection costs, lost revenue, litigation and reputational damage.

Therefore, the SEC advises companies to disclose material cyber risks, including but not limited to:

  • The aspects of the company's business that give rise to material cyber risks and potential costs
  • Cyber risks posed by third parties to whom the company has outsourced functions
  • A description of past cyber incidents, including costs
  • A discussion of potential future cyber incidents
  • A description of any relevant insurance coverage the company may posses with respect to cyber liability.

Conclusion

While companies have applauded the SEC's new social media guidance, it could create potential liability exposure if companies and their directors and officers fail to heed Reg FD and prior disclosure guidance with respect to the dissemination of material, non-public information. For instance, a company may be liable for violations of federal securities laws if it fails to disclose material information to investors and/or selectively discloses this information.

Additionally, directors and officers may be liable for breach of fiduciary duties if they fail to ensure that a company has adequate controls in place with respect to the proper dissemination of financial information through social media or other outlets. If a company relies on social media or other electronic means to communicate with investors and these are subject to cyber attacks, the company may have a material cyber risk exposure. The company could also face liability for failing to disclose a material cyber risk.

While traditional D&O policies may respond to securities claims by shareholders or the SEC, companies may have to look elsewhere for coverage in the event of a cyber attack or other cybersecurity breach. Also, the use of social media by employees to discuss company news might implicate employment practices liability coverage. Companies that plan to use social media for communicating with investors should make sure they have effective policies, controls and safeguards in place to mitigate potential risk for violations of securities or other laws.