The U.S. Securities and Exchange Commission issued an interpretative release on cybersecurity disclosure on February 21, 2018. While the release largely reiterates earlier guidance,1 its endorsement by a unanimous Commission2 serves to highlight the SEC’s focus on this topic in light of the “evolving landscape of cybersecurity threats” faced by public companies.
The latest guidance reaffirms and puts the full weight of the SEC behind the earlier guidance, which was explicitly “neither approved nor disapproved” by the Commission. SEC Chairman Jay Clayton further hammered home the agency’s renewed emphasis on cybersecurity in a public statement issued on the same day as the new guidance in which he noted that he had “asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews.”
In addition to echoing the 2011 guidance, the latest release also expanded that guidance in several respects:
Cybersecurity policies and procedures. The release “stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents” as part of public companies’ obligations to maintain adequate disclosure control and procedures. Companies should specifically create cybersecurity policies and procedures, periodically test for compliance and ensure that they are in a position to timely disclose the potential impact of any cyber incidents. Company audit and disclosure committees should consider these matters and reflect such consideration in appropriate minutes.
Application of insider trading prohibitions in the cybersecurity context. The release offers a reminder to companies of their obligation under Regulation FD “to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents” and of the general insider trading prohibitions under federal securities laws. Companies and their insiders should not trade in company securities prior to the pending public disclosure of a significant cyber incident.
Disclosure guidance. Despite these warnings and reminders, the release stresses that the SEC does not intend for companies to make specific, technical disclosures about their cybersecurity systems that might expose potential vulnerabilities or provide a “roadmap” to hackers seeking to penetrate companies’ security safeguards. On the other hand, while the Commission recognized that it may take time to discern the impact of a cyber incident, it emphasized that an ongoing investigation was not necessarily grounds to avoid or delay disclosure of a material incident.