In light of the increasing significance of cybersecurity incidents, the Securities and Exchange Commission (SEC) recently found it necessary to provide further guidance with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. On February 21, 2018, the SEC issued interpretive guidance on the cybersecurity disclosures of public companies through a Commission Statement and Guidance on Public Company Cybersecurity Disclosures (2018 Guidance). In its 2018 Guidance, the SEC emphasized the importance of disclosing material cybersecurity risks, even in cases where a company has not yet suffered a cyberattack. According to the SEC, public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a fulsome and timely fashion.
The 2018 Guidance expands the SEC’s 2011 guidance on cybersecurity disclosure obligations and highlights a public company’s disclosure requirements when considering their disclosure obligations surrounding cybersecurity risks and incidents. It also addresses the importance of cybersecurity policies and procedures related to disclosure controls and procedures and reminds companies of their obligation to prohibit insider trading on materially non-public information about threats and incidents.
General Disclosure of Cybersecurity Issues
While the SEC concedes that its disclosure requirements do not specifically refer to cybersecurity risks and incidents, the staff reminded companies in its 2011 guidance to consider cybersecurity matters when preparing disclosures for their financial statements and for sections of their filings covering risk factors, management’s discussion and analysis, descriptions of the business and legal proceedings. The SEC expects public companies to disclose cybersecurity risks and incidents that are material to investors, including considering the attendant financial, legal, or reputational consequences. Although companies are required to disclose cybersecurity risks and incidents that are material to investors, the 2018 Guidance reiterates that companies are not expected to disclose publicly specific, information about their cybersecurity systems or vulnerabilities that could compromise their cybersecurity efforts and serve as a roadmap for hackers.
Materiality. The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available. The materiality of any particular risk or incident is fact-dependent. Once a company has determined that a cybersecurity risk or incident is material, however, it should disclose the information in a timely and sufficiently robust manner.
Risk Factors. A company should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among the most significant factors that make an investment in the company’s securities speculative or risky, including those that arise in connection with acquisitions. To place risk factor disclosure in context, however, the SEC stated that companies may need to include disclosure of previous or ongoing cybersecurity incidents. The SEC also provided a list of factors that would be helpful to consider in the evaluation of cybersecurity risk factor disclosure, including the following:
- Severity and frequency of historical incidents;
- Probability of the occurrence and potential magnitude of incidents;
- Adequacy of preventative actions taken;
- Whether the nature of the company’s business exposes the company to risks and consequences;
- Costs of maintaining protection against incidents, including insurance coverage;
- Existing or pending laws and regulations that may affect company requirements or costs relating to cybersecurity; and
- Litigation, regulatory investigation, and remediation costs.
The SEC cautioned companies against boilerplate disclosure language, emphasizing that cyber-risks should be “tailored” to each individual company and should “provide specific information that is useful to investors.”
MD&A of Financial Condition and Results of Operations. Public companies are required to disclose material factors affecting their financial results or condition, as well as known events, trends, and uncertainties that are reasonably likely to have a material effect on their results, liquidity or financial condition. The costs associated with cybersecurity issues (e.g., the cost of ongoing cybersecurity efforts, including enhancements, costs and other consequences of cybersecurity incidents, and risks of potential cybersecurity incidents) may impact a company’s analysis in disclosures pertaining to its financial condition, changes in financial condition, and results of operations. Also, the SEC expects companies to consider these and other impacts of cybersecurity issues on a segment-level basis.
Description of Business. A public company must provide appropriate disclosures where cybersecurity incidents or risks materially affect its products, services, relationships with customers or suppliers, or competitive conditions, such as the loss of intellectual property or the costs of remediation.
Legal Proceedings. Public companies are required to disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. The SEC noted in particular that this requirement includes any such proceedings that relate to cybersecurity issues. For example, if a company experiences a cybersecurity incident involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.
Financial Statement Disclosures. The SEC expects that a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information about the financial impacts of a cybersecurity incident (e.g., costs related to investigation, notification, remediation, and litigation, including legal fees, revenue losses, third-party claims, and diminished future cash flows) become available.
Board Risk Oversight. To the extent cybersecurity risks are material to a company’s business, the SEC believes that disclosures should include the nature of the board’s role in overseeing the management of those cyber-risks. The SEC continued noting that disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.
Duty to Update or Correct. The federal securities laws do not impose on a public company an affirmative duty to disclose information simply because it is or might be material. Companies considering a cybersecurity disclosure, however, should be aware of its implications for future public statements about the matter. The SEC reminds companies that once they disclose a cybersecurity risk or incident, they “may” have a legal duty to correct or update disclosure that was accurate when made if circumstances change and the statement subsequently becomes inaccurate or misleading. The duty might arise because investors may continue to rely on the original statement in making investment decisions with respect to the company’s securities.
Disclosure Controls and Procedures
The SEC stated that cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. As such, companies are encouraged to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.
In this regard, companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.
Insider Trading and Selective Disclosure
Companies and their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. Not addressed in its 2011 guidance, the SEC clarified in the 2018 Guidance that information about a company’s cybersecurity risks and incidents may constitute material nonpublic information, and directors, officers, and other corporate insiders would violate antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.
The SEC also posited that companies should consider whether and when it may be appropriate to place restrictions on insider trading while a cyber investigation is ongoing. In this regard, insider trading policies and procedures that include protective measures can safeguard against directors, officers, and other corporate insiders trading on the basis of material nonpublic information before public disclosure of the cybersecurity incident. According to the SEC, companies would be well-served in considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.
Companies also may have disclosure obligations under Regulation FD in connection with cybersecurity matters. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” The SEC made clear that it expects companies to have policies and procedures to ensure that cyber-related disclosures are not made selectively and that any Regulation FD required public disclosure is made simultaneously (for intentional disclosures) or promptly (for non-intentional disclosures).
Overall, the 2018 Guidance does not create unduly burdensome new requirements. Companies with reasonable policies and procedures in place most likely will not need to adopt new policies and procedures based on the 2018 Guidance. Companies preparing their annual proxy statements, however, may want to consider whether their presentation on board risk oversight should include a discussion of the board’s oversight of cybersecurity risks. In the meantime, companies should confirm that their disclosure controls and procedures, including cybersecurity incident response plans, are designed to adequately identify cybersecurity incidents and assess their impact, and that information concerning cybersecurity incidents is timely communicated to persons responsible for administering insider trading policies. Finally, companies might also take this opportunity to review their existing policies and procedures to ensure that insider trading and selective disclosure of material nonpublic information are adequately prohibited.