On February 21, 2018, the Securities and Exchange Commission issued a public statement to clarify, reinforce, and expand the Division of Corporation Finance’s influential 2011 guidance for public disclosure obligations with respect to cybersecurity risk and incidents. The Commission statement, issued as an interpretive release adopted after a unanimous vote by the Commission, signals the importance of continued compliance with the 2011 guidance and careful consideration of cyber controls and procedures on a going-forward basis. SEC Chairman Jay Clayton’s related public statement also makes clear the importance of adequate disclosure of cybersecurity-related matters and robust cybersecurity policies and procedures, noting that “cybersecurity is critical to the operations of our companies and our markets” and that “[p]ublic companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”
The Commission release supplements (and does not replace) the existing 2011 guidance, noting that “[the Commission] is reinforcing and expanding upon the staff’s 2011 guidance” because the “increasing significance” of cybersecurity incidents makes it “necessary to provide further Commission guidance”. Registrants should therefore continue to consider and apply the 2011 staff guidance, supplemented by the additional discussion in the Commission release. The Commission release identifies and stresses two specific concepts: (i) effective disclosure policies and procedures related to cybersecurity risks and incidents, and (ii) related insider trading and selective disclosure concerns. The discussion of effective disclosures and related policies and procedures is largely consistent with the 2011 guidance, while the focus on insider trading and selective disclosure is a clear expansion of the scope of the prior guidance.
Like the 2011 guidance, the Commission release discusses general criteria to consider when evaluating the disclosure of cybersecurity incidents or risks. The Commission release does go further in certain respects; for example, the Commission identifies specific factors to consider when evaluating whether risk factor disclosure is appropriate, including:
- the occurrence of prior cyber incidents (including severity and frequency);
- the probability of the occurrence and potential magnitude of cyber incidents (an apparent reference to the potential materiality of the risk of a cyber incident);
- the adequacy of preventative actions and the associated costs;
- the particular aspects of the registrant’s operations that give rise to cyber risks and the consequences of such risks;
- the costs associated with maintaining cybersecurity protections;
- the potential for reputational harm;
- the impact of relevant laws and regulations; and
- litigation, regulatory, and other remedial costs.
Consistent with the 2011 guidance, the release also makes clear that effective disclosure may require discussion of previous or ongoing cybersecurity incidents or other past events in order to “place discussions of these risks in the appropriate context.”
The Commission release further clarifies the 2011 guidance for MD&A disclosure, with a particular focus on the breadth of potential costs that could be relevant to cybersecurity risks and incidents, including, for example, costs resulting from related loss of intellectual property, maintaining insurance, litigation and regulatory investigations, compliance with new legislation, addressing harm to reputation, and the loss of competitive advantage. Similarly, the Commission reinforces the 2011 guidance in the context of financial statement disclosures, explaining that cybersecurity risks should be incorporated into financial statements on a timely basis “as the information becomes available.” The release identifies specific potential impacts to a registrant’s financial statements, including expenses related to litigation and other legal or professional costs, loss of revenue or costs from incentives or other relationship assets, claims related to warranties or breach of contract, and diminished future cash flows or impairment of intellectual property, intangible, or other assets. Description of Business and Legal Proceedings disclosure are also briefly discussed in the release, albeit in a more limited manner that appears to reflect a general restatement of the 2011 guidance
The Commission goes significantly further than the 2011 guidance in the context of board oversight disclosures pursuant to Item 407(h) and Item 7 of Schedule 14A, underscoring the role of directors in overseeing the management of cybersecurity risk. Although many boards routinely consider cybersecurity risks as part of their risk oversight function, the release suggests that a registrant should expand on the board risk oversight discussion required by Item 407(h) of Regulation S-K, and be included in a company’s annual proxy statement to explicitly describe the role of the board of directors in considering cybersecurity risk to the extent those risks are material to the company’s business. Indeed, the Commission states that “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.” In light of the guidance in the Commission release, companies may need to revisit the board risk oversight disclosures in their annual proxy statements to consider whether additional changes are needed to more explicitly describe the Board’s risk oversight responsibility for other material risks to the company’s business.
Disclosure Policies and Procedures
Noting the importance of reporting information about cybersecurity risks “up the corporate ladder,” the release also notes that cybersecurity risk management policies and procedures are “key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.” The Commission significantly expands the 2011 guidance in the context of policies and procedures; for example, the release includes a specific discussion of the interplay between the disclosure controls and procedures required pursuant to Exchange Act Rules 13a-15 and 15d-15, and cybersecurity-specific policies and procedures. The release states as follows:
When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.
Similarly, the Commission notes that the officer evaluations of disclosure controls and procedures required pursuant to Exchange Act Rules 13a-14 and 15d-14 should “take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact,” and should consider whether cybersecurity risks or incidents could reflect deficiencies in disclosure controls and procedures that would render them ineffective.
The release also includes a general discussion of cybersecurity-specific policies and procedures, including a statement that policies should include timely collection and evaluation of information “relevant to an assessment of the need to disclose developments and risks that pertain to the company’s business.” Procedures should also enable the company to identify cybersecurity risks, incidents, and potential impacts and “provide for open communications between technical experts and disclosure advisors.”
Insider Trading and Selective Disclosure
The Commission release also includes a new discussion of insider trading and selective disclosure in the specific context of cybersecurity incidents, likely as a result of recent events involving insiders of companies affected by a cybersecurity incident that allegedly sold significant amounts of company stock immediately prior to public reporting of the breach. The Commission notes that “information about a company’s cybersecurity risks and incidents may be material nonpublic information,” and that therefore registrants and their insiders should be mindful of “complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” The release explicitly encourages registrants to consider (i) how their code of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents,” as well as (ii) whether and how it may be appropriate to “implement restrictions on insider trading in their securities” in connection with cyber‑related events. In the context of Regulation FD, the Commission explicitly states that it “expect[s] companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively . . . .” In light of these statements, companies should consider whether their existing insider trading, Regulation FD, or other policies require updating to explicitly reference significant cybersecurity incidents as an example of information that, if not public, could be material and trigger the policy.
The Commission release reinforces the significance of cybersecurity risk and provides greater clarity with respect to cybersecurity disclosure in the context of specific reporting obligations. As Chairman Clayton notes in his statement, registrants should “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” Registrants should therefore consider periodic assessments of disclosure policies and procedures as well as insider trading policies to consider the specific risks presented by potential cybersecurity incidents.