On Feb. 21, 2018, the Securities and Exchange Commission (SEC) issued interpretive guidance on its expectations for corporate disclosures on cybersecurity risks. The guidance delineates where it believes existing SEC rules encompass cybersecurity risks and associated disclosures and reinforces the underlying concern that "Cybersecurity risks pose grave threats to investors, our capital markets and our country." It goes on to say "As companies' exposure and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents have increased." This guidance builds on existing SEC guidance first issued in 2011 and tracks concerns raised by the White House in Executive Order (EO) 13800 discussed in a prior blog. EO 13800 raised questions on whether or not there is sufficient transparency in the marketplace from corporations to investors from cybersecurity risks and required the U.S. Departments of Commerce and Homeland Security to report to the President on their findings.
The guidance issued yesterday reinforces that cybersecurity risks must be evaluated against the materiality standard and adds two new areas of clarification, including the "importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents" and providing clarifications on how the current prohibitions against insider trading apply to cybersecurity. The guidance lists specific areas where cybersecurity disclosure would be required and also notes that it "considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that the disclosure of the omitted information would have been reviewed by a reasonable investor as having significantly altered the total mix of information available." At the same time it includes both a reminder that Exchange Act Rules 13a-14 and 15d-14 require the CEO and CFO "to make certifications regarding the design and effectiveness of disclosure controls and procedures…" and noting that "These certifications should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents for assessing and analyzing their impact."
In the last few years the SEC has increased oversight and audits of companies, including specifically the filings of companies who have experienced publicly reported cybersecurity attacks. In addition to concerns raised by the White House on cyber risks to the nation's national and economic security, the White House also indicated its support for an increased SEC oversight and enforcement role, including a recommended an increase of 3.5 percent in the President's proposed FY 2019 budget, a portion of which would provide for 100 new positions, allow restoration of 24 examiners in the Office of Compliance Inspections and Examinations, 13 of which will be overseas and a $19 million increase in its enforcement budget.
The SEC's actions come at a time when other federal regulators are also stepping up enforcement on cybersecurity issues, proposing new regulations and issuing guidance that existing regulations including safety or security issues have been interpreted to include cybersecurity. It is important to note both that the guidance said that companies must have comprehensive cybersecurity policies but also that it did not prescribe what should be in them. Rather, for those sectors that already have existing federal mandates for policies like this, it reinforces existing mandates. However, not all sectors have such requirements, allowing the SEC to fill a potential gap that may exist for some sectors.
While the Administration has committed itself to deregulation in other areas, cybersecurity remains a national security risk which is exempt from these efforts, noting that national security concerns are excluded from EO "Reducing Regulation and Controlling Regulatory Costs" issued on Jan. 30, 2017. This also comes at a time when other nations around the world have new cybersecurity and privacy laws coming into effect, including the EU's General Data Protection Regulation (GDPR) and the Networked Information Security (NIS) Directive which have robust mandates and significant financial penalties, making it a complex compliance regime for global companies.