On February 21, 2018, the US Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.1 The guidance updates and expands upon CF Disclosure Guidance: Topic No. 22, which was issued by the staff of the SEC’s Division of Corporation Finance (Staff) in 2011. In addition, the guidance addresses the importance of policies and procedures related to cybersecurity. SEC Chairman Jay Clayton noted in a contemporaneous statement that he expects the guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks,” and that as companies implement it, the SEC will consider “whether any further guidance or rules are needed.”3
Overview. Consistent with the 2011 Staff guidance, the new guidance, which was issued by the full commission, reiterates that companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure for registration statements under the Securities Act of 1933 and the Securities Exchange Act of 1934 and for periodic and current reports under the Exchange Act. While the existing disclosure requirements of the federal securities laws do not specifically refer to cybersecurity risks and incidents, the new guidance emphasizes that there are a number of areas in which disclosure of cybersecurity risks and incidents may be required, depending on the particular facts and circumstances, including disclosure regarding a company’s business and operations, risk factors, legal proceedings, management’s discussion and analysis of financial condition and results of operations (MD&A), financial statements, disclosure controls and procedures, and corporate governance.
Incident Response. The guidance clarifies that companies are not expected to “publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident,” but cannot delay disclosure solely due to “ongoing internal or external investigation[s]” into cybersecurity incidents. Rather, companies should consider the need to correct or refresh the initial disclosures made following an incident, “including during the process of investigating a cybersecurity incident.”
Risk Factors. The guidance suggests that companies should consider the following issues, among others, when evaluating cybersecurity risk factor disclosure:
- The occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
MD&A. The guidance identifies the costs of ongoing cybersecurity efforts and the risks of potential cybersecurity incidents as items to be considered when preparing MD&A disclosure. The costs associated with cybersecurity issues could include loss of intellectual property, the immediate costs of the incident, costs of preventative measures, insurance, litigation and regulatory investigation. The guidance specifies that the SEC expects companies to consider the impact of cybersecurity incidents on each reportable segment as well.
Business and Legal Proceedings. The guidance notes that if cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, appropriate disclosure would be needed in the description of the company’s business. According to the guidance, the requirement of disclosing information relating to material pending legal proceedings also includes any such proceedings related to cybersecurity issues.
Financial Statements. The guidance mentions that cybersecurity incidents may affect financial statements to the extent they result in:
- Expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services;
- loss of revenue, providing customers with incentives or a loss of customer relationship assets value;
- claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
- diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs.
Board Oversight. The guidance also mentions that the disclosure of the board’s role in risk oversight, which is part of the proxy statement disclosure requirements, should include a discussion of the board’s role in overseeing the management of cybersecurity risks to the extent that such risks are material to a company’s business. According to the guidance, the SEC believes that “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
Policies and Procedures
Disclosure Controls and Procedures. SEC Commissioner Kara Stein noted her belief in a contemporaneous statement that: “Too many companies currently fail to consider cybersecurity as a business risk and, thus, do not incorporate it within the risk management framework overseen by their boards.”4 While the SEC did not issue a proposed rule to address her concern, the guidance encourages companies “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.”
According to the SEC, companies should have controls and procedures that enable them “to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” In addition, the guidance also makes clear that a “company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure [emphasis added], or relevant to an assessment of the need to disclose developments and risks….”
Finally, the guidance indicates that, when the principal executive officer and principal financial officer make their required certifications regarding the design and effectiveness of disclosure controls and procedures, they “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
Insider Trading. The guidance states that cybersecurity risks and the occurrence of incidents may be material nonpublic information and warns that directors, officers and other insiders would violate the antifraud provisions of the securities laws by trading in the company’s securities while in possession of such material nonpublic information. The guidance encourages companies to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information, including information relating to cybersecurity risks and incidents. The SEC advised that it believes that “companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
Regulation FD. The guidance reflects the SEC’s concern regarding selective disclosure of material nonpublic information related to cybersecurity. It specifies that the SEC expects companies “to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD required public disclosure is made simultaneously (in the case of an intentional disclosure as defined in the rule) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with the requirements of that regulation.”
The new guidance covers many of the disclosure points that the Staff raised in 2011 in CF Disclosure Guidance: Topic No. 2. However, by issuing cybersecurity interpretative guidance approved by the full commission, the SEC emphasized the importance it is placing on cybersecurity disclosures and policies. The new guidance serves as a reminder that disclosures and policies in this area should be evaluated regularly.
The guidance encompasses more than disclosure. Companies should assess whether their existing disclosure controls and procedures are adequate to assure timely disclosure of cybersecurity risks and incidents of the various types that the SEC emphasized in the guidance and should periodically evaluate whether those controls and procedures remain adequate. Companies should also consider whether they need to revise their insider trading policies and procedures to specifically address the ability to trade in company securities while in possession of material nonpublic information regarding cybersecurity incidents.
Boards of directors should evaluate whether they are sufficiently involved in the oversight of cybersecurity risks and whether they need additional training in this area. Companies preparing proxy statements should consider discussing board oversight of cybersecurity risk as part of their discussion of the board’s role in the risk oversight of the company.
If a cybersecurity incident occurs, then companies should consider how they will handle public disclosure as part of their incident response process. The guidance recognizes that “it may be necessary to cooperate with law enforcement,” but nonetheless states that an ongoing internal or external investigation into an incident does not itself justify a delay in public disclosure. This approach puts the guidance in some tension with many state data breach laws that allow a company to refrain from notifying consumers of an incident at the request of law enforcement or while an investigation of the scope of a breach is ongoing. Companies will benefit from considering how to manage these differing disclosure obligations in a manner that minimizes legal risk and reputational harm (e.g., by preventing undue delay between a public disclosure to investors and subsequent breach notifications). Moreover, companies will need to bear in mind that a new incident may require them to revisit disclosures they previously made to investors.
Following a cybersecurity incident, companies should also be vigilant in order to avoid situations in which corporate insiders are trading in company securities while in possession of, or selectively disclosing, material nonpublic information regarding a cybersecurity breach or incident. Companies in this situation may want to consider whether it would be prudent to prohibit trading by corporate insiders under such circumstances. Similarly, persons should not enter into Rule 10b5-1 trading plans while in possession of such material nonpublic information. In addition, persons with pre-existing Rule 10b5-1 trading plans should consider the optics of having trades occur pursuant to a trading plan in light of the nature of the undisclosed material nonpublic information.