Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.
In a published statement, Chair Jay Clayton expressed his view that the guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He encouraged “public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” He also indicated that Corp Fin will be monitoring cybersecurity disclosures as part of their selective filing reviews. The SEC will also consider feedback about whether any further guidance or rules are needed.
Some of that feedback is already here—from two of the Commissioners. In a published statement, new Commissioner Robert Jackson expressed his reluctant support for the guidance, which, he said “essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.” That includes the White House’s own Council of Economic Advisers, which Jackson quoted at length: Companies may tend to underinvest in cybersecurity, the Council’s report said, but regulators can provide investment incentives through, for example mandatory disclosure requirements. However, “the effectiveness of the SEC’s 2011 Guidance is frequently questioned. There are concerns that companies underreport events due to alternative interpretations of the definition of ‘materiality’….. There are also concerns that the disclosure requirements are too general and do not provide clear instructions on how much information to disclose, and that they therefore ‘fail to resolve the information asymmetry at which the disclosure laws are aimed.’”
Commissioner Kara Stein likewise “supported the Commission’s guidance, but not without reservation.” In her statement, she indicated that she was “disappointed with the Commission’s limited action.” While the guidance includes “valuable reminders,” she said, the problem
“is that many of these reminders were offered by the staff back in 2011. If our staff has already provided guidance regarding cyber-related disclosures, the question, then, is what we, as the Commission, should be doing to add value given seven additional years of insight and experience…..The more significant question is whether this rebranded guidance will actually help companies provide investors with comprehensive, particularized, and meaningful disclosure about cybersecurity risks and incidents. I fear it will not…. That is why, as I have remarked before, it is imperative that the Commission do more. As we have heard from a variety of commenters since the 2011 staff guidance, guidance, alone, is plainly not enough. This makes it all the more confusing that the Commission more or less reissued that very guidance. Simply put, seven years since the staff guidance was released, despite dramatic increases in cyberattacks and their related costs, there have been almost imperceptible changes in companies’ disclosures. This to me strongly suggests that guidance alone is inadequate.”
Disclosure Obligations Generally; Materiality
The guidance highlights the pervasiveness of, and increasing reliance by companies on, digital technology to conduct their operations and engage with customers and others. In that light, the threat of cybersecurity incidents, whether from unintentional events or deliberate attacks, “presents ongoing risks and threats to our capital markets and to companies operating in all industries.” These events or attacks may include “the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks, and distributed denial-of-service attacks, among other means. The objectives of cyber-attacks vary widely and may include the theft or destruction of financial assets, intellectual property, or other sensitive information belonging to companies, their customers, or their business partners.”
In addition to significant financial costs, the guidance identifies these other potential consequences of a breach:
- “remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack [including ransom];
- increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;
- increased insurance premiums;
- reputational damage that adversely affects customer or investor confidence; and
- damage to the company’s competitiveness, stock price, and long-term shareholder value.”
As in the 2011 guidance, the new guidance explains that, although there are no disclosure requirements that specifically refer to cybersecurity risks and incidents, the obligation to disclose material cybersecurity risks and incidents would still arise, depending on a company’s particular circumstances, in the context of many required disclosure documents, including registration statements and periodic and current reports. For example, the SEC encourages companies to use current reports on Form 8-K to promptly report the costs and other consequences of material cybersecurity incidents. And, under Rule 10b-5 and similar provisions, companies should consider whether their cybersecurity disclosures provide all material facts required to be stated therein or necessary to make the statements therein not misleading. Exchange listing standards also impose disclosure obligations.
In determining whether disclosure regarding cybersecurity risks and incidents is necessary, “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.”
But how is “materiality” assessed in the context of cybersecurity? The SEC notes that the Basic v. Levinson probability/magnitude test is still a relevant part of the analysis. The SEC also advises that “materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” In that regard, the SEC notes that compromised information “might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.” Materiality “also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” As always, the SEC cautions companies to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
Although companies are expected to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences,” the SEC makes clear that companies are not expected to provide detailed roadmaps or specific technical information about potential system vulnerabilities that would compromise a company’s security protections.
The SEC recognizes that it may take time to investigate and understand the implications of an incident; however, “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” (Recall that the SEC felt obligated to make disclosure about its own cyberbreach, even though the investigation was ongoing.) In addition, the SEC advises companies to consider revisiting prior disclosures as they may have a “duty to update” (where disclosure becomes false as a result of subsequent developments) or a “duty to correct” (where prior disclosures are determined to have been untrue when made, including, the SEC observes, “if the company subsequently discovers contradictory information that existed at the time of the initial disclosure.”)
The federal securities laws do not impose on public companies a general affirmative duty to continuously disclose material information. However, that duty will arise as a result of a number of events or circumstances, such as any of the following:
- to satisfy a company’s SEC reporting requirements, such as under the Form 8-K triggering events;
- to satisfy obligations under a listing agreement with an exchange;
- when the company or its insiders are trading in the company’s securities;
- when the company learns that a prior statement it made was materially untrue or misleading at the time it was made;
- when the company is otherwise making public disclosure and the omission of material information could be misleading; or
- when rumors are in the marketplace that are attributable to the company (although the company is generally not required to respond to conjecture about the company except pursuant to stock exchange guidelines).
Cybersecurity Disclosure Obligations in Specific Contexts
The guidance then discusses how issues related to cybersecurity and cyber incidents are addressed in the context of specific rule requirements.
Companies should disclose the risks related to cybersecurity and cyber incidents if those risks are among the company’s most significant. In determining whether risk factor disclosure is required, the SEC advises that companies consider the following factors:
- “the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.”
Companies will need to consider disclosing prior material incidents to provide context. The guidance explicitly states, as an example, that “if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.” (That’s a good point to keep in mind when crafting other risk factors as well.) Instead, the SEC warns, “the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations. Past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure.”
In a recent speech at Stanford, SEC Commissioner Kara Stein identified cybersecurity as “one of the biggest challenges facing corporations and their shareholders, their employees and consumers, and our economy as a whole.” While shareholders have long been advocating that companies provide more information on company practices relating to cybersecurity, “good information remains scarce. Unfortunately, corporate disclosures are far from robust and largely consist of boilerplate language that fails to provide meaningful information for investors.” Even though there seems to be general agreement on the importance of cybersecurity today, why companies were “not doing more to implement robust cybersecurity frameworks and to provide meaningful disclosures regarding the risks of data loss” was something of a mystery. One possible reason, however, could be that companies “tend to view cyberthreats as a technology problem instead of, more appropriately, a business risk.” However, when cybersecurity is viewed to be simply an “IT” problem, it is then “hoisted on the shoulders of a company’s chief information officer. Too often, this has led to a failure to integrate cybersecurity into a firm’s enterprise risk management framework. To be sure, some companies are focused on cyberthreats and recognize their potential economic threat. But companies need to do more than simply recognize the problem. They need to heed the calls of their shareholders and treat cyberthreats as a business risk. Corporations and shareholders will both benefit from greater transparency and focus on the risks related to unintended data loss and the collateral consequences.” While the SEC has previously issued guidance on cyberrisk disclosure, she concluded, it “can and should do more.”
A company will need to consider disclosure regarding cybersecurity and cyber incidents if they represent “events, trends or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition,” “would cause reported financial information not to be necessarily indicative of future operating results or financial condition” or would otherwise “be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.” In this analysis, factors to be considered include “the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents,” in addition to costs such as the “loss of intellectual property, the immediate costs of the incident, as well as the costs associated with implementing preventative measures, maintaining insurance, responding to litigation and regulatory investigations, preparing for and complying with proposed or current legislation, engaging in remediation efforts, addressing harm to reputation, and the loss of competitive advantage that may result.” The impact on reportable segments should also be considered.
With respect to business disclosures, the SEC advises that if “cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure.” (That could include, for example, incidents that affect the viability of a new product or theft of customer information that might affect the company’s reputation and competitive position.)
Any material pending legal proceedings to which the company or any of its subsidiaries is a party that relate to cybersecurity issues are required to be disclosed.
Disclosure of cybersecurity risks and cyber incidents could be required throughout the financial statements, including:
- “expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services;
- loss of revenue, providing customers with incentives or a loss of customer relationship assets value;
- claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
- diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs.”
Companies are advised to structure disclosure controls to reasonably assure that information about cyber incidents is timely incorporated into the financial statements as the information becomes available.
Board Risk Oversight
Companies are required to disclose the extent of their boards’ role in risk oversight, including how the board administers that function. If cybersecurity risks are material, the SEC believes that the board’s role in oversight of that risk should be discussed, along with the company’s cybersecurity risk management program and how the board engages with management on cybersecurity issues.
Policies and Procedures
The new areas of focus in this guidance relate to policies and insider trading.
Disclosure Controls and Procedures
The SEC encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to assess compliance regularly. As part of that exercise, companies should assess whether their disclosure controls and procedures are adequate to reasonably ensure that information about cybersecurity risks and incidents is reported to “appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications.” The controls should also suffice to ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies.
The SEC cautions that disclosure controls should not be limited to specifically required disclosures, but should also cover information necessary to identify and assess potential disclosures. In particular, the SEC advises, “[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”
The SEC also notes that the required CEO and CFO certifications address effectiveness of disclosure controls and “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”
Insider Trading Policies
Information regarding cybersecurity risks and incidents may be material nonpublic information, and, the SEC warns, insiders could violate the antifraud provisions if they traded company securities on the basis of that information. Other applicable prohibitions on insider trading may derive from exchange-mandated internal codes of ethics and insider trading policies. The SEC advocates that companies consider how to avoid the appearance of improper trading during the period following an incident—when the company is investigating and determining the facts, consequences and materiality of an incident—and prior to the dissemination of disclosure. Accordingly, companies should analyze when it would be appropriate to implement trading restrictions and consider including in their insider trading policies prophylactic measures to protect against insiders’ trading on the basis of material nonpublic information.
Reg FD and Selective Disclosure
The SEC expects companies to have policies and procedures that ensure Reg FD compliance with respect to disclosures of material nonpublic information related to cybersecurity risks and incidents.