On February 21, the Securities and Exchange Commission issued interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Securities Act Release No. 10459 (February 21, 2018). The guidance sets forth the Commission’s views on both disclosure and on certain corporate policies and procedures, including those related to insider trading, in the cybersecurity context. Among other things, the release notes the cybersecurity oversight role of the board (which is frequently assigned to the audit committee) and the importance of disclosure concerning that role.
The release explains how existing rules apply in the context of cybersecurity incidents, but does not establish new disclosure or compliance requirements. With respect to disclosure, it largely repeats staff guidance issued in 2011. In a separate statement, SEC Chairman Clayton indicated that the Commission “will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.” While the interpretive release was approved unanimously, two Commissioners expressed disappointment that it did not go further in requiring disclosure.
Below is a high-level summary of the topics addressed in the release.
Disclosure of Cybersecurity Issues
1. Disclosure Obligations
Although no SEC disclosure requirements refer specifically refer to cybersecurity risks and incidents, the disclosure rules for various forms, including periodic reporting and registration statements, may create an obligation to disclose such risks and incidents, depending on the particular circumstances and whether information related to cybersecurity is material. Materiality is of course a highly fact-specific determination:
“The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” (footnotes omitted)
When disclosure is required, companies should avoid “generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
2. Risk Factors
Companies should disclose cyber risks if they are among the factors that make investments in the company’s securities speculative or risky. The release includes a series of considerations for making this determination and notes that “companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.”
3. Management’s Discussion and Analysis
MD&A requires a discussion of events, trends, or uncertainties that are reasonably likely to have a material effect on results of operations, liquidity, or financial condition. The cost of cybersecurity efforts, the costs and consequences of incidents, and the risks of potential future cyber breaches may fall into this category.
4. Description of Business
In discussing its products, services, and customer relationships, a company may need to discuss the effects of cybersecurity incidents on these aspects of its business, if they are material.
5. Legal Proceedings
Companies are required to disclose information concerning material pending legal proceedings. Cyber incidents may result in material litigation, such as suits against the company stemming from the theft of customer information.
6. Financial Statement Disclosures
The Commission points out that cybersecurity incidents may affect a company’s financial statements in a variety of ways. For example:
- Expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services;
- Loss of revenue, providing customers with incentives or a loss of customer relationship assets value;
- Claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
- Diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs.
7. Board Risk Oversight
The Commission’s rules require disclosure of the extent of the board’s role in risk oversight, such as how the board administers its oversight function and the effect on the board’s leadership structure. This disclosure is intended to “provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.” The release states:
“To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk. In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
Policies and Procedures
1. Disclosure Controls and Procedures
The Commission’s rules require companies to maintain disclosure controls and procedures and require management to evaluate their effectiveness. Regarding the application of these rules to cybersecurity, the release states:
“Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
* * *
Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”
2. Insider Trading
The release points out that information about a company’s cybersecurity risks and incidents may be material nonpublic information and that trading in the company’s securities by corporate insiders who are in possession of such information may violate the antifraud provisions of the federal securities laws. Accordingly, while a company is investigating a cybersecurity incident, it should consider implementing trading restrictions. “Company insider trading policies and procedures that include prophylactic measures can protect against directors, officers, and other corporate insiders trading on the basis of material nonpublic information before public disclosure of the cybersecurity incident.”
3. Regulation FD
Regulation FD prohibits companies from making selective disclosure of material nonpublic information to certain persons, such as investment advisors and shareholders, before disclosing the information to the public. The Commission states that it “expect[s] companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively * * * .”
Comment: Audit committees are often tasked with oversight of cybersecurity risks (although this may not always be the best choice – see Audit Committee Overload Redux: Another Survey Finds that Audit Committee Members are Working Harder and Want Responsibility for Risk Assigned Elsewhere, January-February 2015 Update). In that regard, surveys consistently indicate that evaluating the company’s management of cybersecurity risk is one of the top challenges audit committees face. See Audit Committee Members are Challenged By Risk Management and Think They Would Benefit From a Better Understanding of the Business, January-February 2107 Update.
In light of the Commission’s emphasis on disclosure of how the board oversees cyber-security and how the board engages with management on that issue, many companies are likely to expand their discussion of these issues. The audit committee may have a special interest in ensuring that this disclosure is an accurate reflection of the board’s (and committee’s) activities. To the extent the audit committee has responsibility for compliance, it may also want to make sure the company’s disclosure controls and its policies on insider trading and selective disclosure are consistent with the Commission’s comments in the guidance.