In our most recent Bryan Cave CLE Seminar “Current Issues Facing Public Companies,” Brendan Johnson presented on the disclosure obligations for reporting companies as they relate to cybersecurity and cyberattacks, sharing three takeaways for reporting companies: (1) evaluate the risks of cyberattacks; (2) understand evolving SEC guidance related to cyber disclosures; and (3) plan ahead for disclosure analysis in the event of a cyber incident. These takeaways are all the more relevant in light of the SEC’s February 21, 2018 guidance for public companies on cybersecurity.
Evaluate the Risks. In a statement issued on September 20, 2017 and reiterated in the February 2018 guidance, Chairman Jay Clayton outlined the risks of cyberattacks, including denials of service and destruction of systems (which can impede important market functionalities), loss or exposure of consumer data, theft of intellectual property, and regulatory, reputational and litigation risks. He underscored the fact that remediation costs are increasing. Companies should consider all of these risks and related potential costs as companies assess whether they are likely to meet the “materiality” threshold warranting disclosure – both in advance of an incident and in the event of an incident.
Understand Evolving SEC Guidance. On February 21, 2018 the SEC released its most recent statements on cybersecurity issues for public companies. Much like Chairman Clayton’s September 2017 statement, the SEC stated that this new guidance on public company cybersecurity disclosures reinforces and expands upon the continuing relevance of CF Disclosure Guidance: Topic No. 2, released by the SEC on October 13, 2011 in connection with cybersecurity disclosures. Companies were reminded to review and provide appropriate risk factor disclosures and business descriptions which reflect the particular cyber risks and profile of the company. The February 2018 guidance also focused on the importance of maintaining disclosure controls and procedures which include cybersecurity information to ensure timely reporting of material information and the requirement that reporting companies consider insider trading policies and prohibitions in the event of a cyber incident. The February 2018 guidance also referenced the risk management responsibilities of boards of directors and the related disclosure requirements of Item 407(h) of Regulation S‑K.
Plan Ahead. Given the prevalence of cyberattacks, companies should anticipate a cybersecurity event and game plan the response in terms of disclosure. A cybersecurity event is not an enumerated trigger for a Form 8‑K filing; however, a company could report such an event under Item 7.01 as “Regulation FD Disclosure” or Item 8.01 as an “Other Event.” Furthermore, both the New York Stock Exchange and the NASDAQ require companies to report material news to the market on a timely basis, which may include information regarding cyber incidents. There is plenty of room, nevertheless, for a company to determine in good faith that a specific cybersecurity event does not require separate disclosure, and companies should consider advantages and disadvantages of early disclosure when determining how and when to disclose. All public companies with material cybersecurity risks should have a plan in place for appropriate analysis with the appropriate decision makers well in advance of a cyber incident.