As you probably read in the papers (see, e.g., this article from the WSJ), SEC Chair Jay Clayton announced yesterday that, in 2016, the SEC’s EDGAR system was hacked and, in August 2017, the staff determined that the hack may have led to insider trading. The hackers took advantage of “a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery….” The SEC believes “the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.” As part of his lengthy statement, Clayton addressed the cybersecurity considerations that the staff applies in the context of its review of public company disclosures.
Clayton highlighted, as still relevant today, the principles-based Disclosure Guidance that Corp Fin issued in 2011
“to help public companies consider how issues related to cybersecurity should be disclosed in their public reports. The staff guidance discusses, among other things, cybersecurity considerations relevant to a company’s risk factors, management’s discussion and analysis of financial condition and results of operation, description of business, discussion of legal proceedings, financial statements, and disclosure controls and procedures…. Accordingly, issuers should consider whether their publicly filed reports adequately disclose information about their risk management governance and cybersecurity risks, in light of developments in their operations and the nature of current and evolving cyber threats. The Commission also will continue to evaluate this guidance in light of the cybersecurity environment and its impacts on issuers and the capital markets generally.”
He also emphasized that “[i]ssuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.”
The 2011 Disclosure Guidance addresses, among other things, existing disclosure requirements that may impose an obligation to disclose risks and incidents, such as in risk factors, MD&A, description of business, legal proceedings, financial statement disclosures and disclosure controls and procedures. For example, with regard to risk factor disclosure, the Guidance urged companies to disclose the risk of cyber incidents if that risk was among the company’s most significant. In determining whether risk factor disclosure was required, the staff indicated that it expected companies to evaluate their cybersecurity risks and take into account all available relevant information:
- prior cyber incidents and the severity and frequency of those incidents;
- the probability of future cyber incidents;
- quantitative and qualitative magnitude of the potential consequences, including costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
- the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which the company operates and risks to that security, including threatened attacks of which the company was aware.
The staff advised that the disclosure should adequately describe the nature of the material risks and specify how each risk affected the company, avoiding generic risk factor disclosure that could apply to any company.
Depending on the facts and circumstances, appropriate disclosures may include:
- Discussion of aspects of the business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the company outsources functions that have material cybersecurity risks, description of those functions and how the company addresses those risks;
- Description of cyber incidents experienced by the company that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Any known or threatened cyber incidents, the staff advised, may need to be disclosed “to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.” Instead of “boilerplate” disclosure, companies should instead provide “sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not [compromise its cybersecurity].”
In preparing the Guidance, the staff took into account “potential concerns that detailed disclosures could compromise cybersecurity efforts—for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security—-and [the staff] emphasize[d] that disclosures of that nature are not required under the federal securities laws.”
For a more complete summary of that 2011 Disclosure Guidance on cybersecurity risks and incidents, see my News Brief of October 14, 2011.
Interestingly, the 2011 Guidance may have been prompted by a 2011 letter from former Senator Jay Rockefeller, then chair of the Senate Commerce Committee, requesting that the SEC issue guidance on disclosure of security risks related to breaches of security and unauthorized data disclosure. The request followed the hacking of Sony’s PlayStation Network, which put the personal information of 77 million consumers into jeopardy, according to The Hill. The Committee was dismayed that there was a delay before the company released information about the attack—sound familiar?—and the Committee’s letter expressed concern that a “substantial number” of companies do not consistently report information security risks to investors on a timely basis. The absence of this information “impairs investor decision-making,” the Committee argued. Then SEC Chair Mary Schapiro responded with a letter admonishing public companies to “disclose to investors the threat and potential impact of cyber attacks that pose a ‘specific and material’ risk.” (See this Bloomberg article.) Schapiro also asked the staff to advise whether additional guidance was needed, which led to the more complete 2011 Guidance from Corp Fin. While Rockefeller viewed that Guidance as an important first step, in 2013, he urged new SEC chair Mary Jo White to issue more authoritative cybersecurity disclosure guidance to encourage more publicly traded companies to detail their cybersecurity risks and what steps they were taking to mitigate the threats. While a number of companies did include disclosure in their 10-Ks in response to the staff’s guidance, Rockefeller expressed concern in his correspondence to White “that many companies were still not being upfront about cyberrisks and incidents, a shortcoming that more formal commission-level interpretive guidance could help fix. ‘Over the past two years, the importance of cybersecurity and its impact on our country’s future has only grown….For that reason, I strongly urge you to address this issue as one of your highest priorities as SEC chairman’” (See this Cooley News Brief.)