On February 13, 2018, SEC Commissioner Kara Stein discussed the significance of cybersecurity in a speech at Stanford University.[i] Stein argued in her speech that cybersecurity is one of the biggest challenges facing our economy because cybersecurity attacks and incidents can have a material effect on companies and affect millions of people.[ii] Stein went on to criticize current cybersecurity disclosures made by regulated entities (e.g., public companies and mutual funds) as boilerplate and failing to provide useful or meaningful information.[iii] Stein believes corporations (with SEC oversight) should do more to ensure protection of investor and company information from cyber attacks.[iv]
On February 21, 2018, the SEC followed up Stein’s speech by releasing an interpretative guidance on public company cybersecurity disclosures (the “2018 Guidance”) that reinforced and expanded guidance issued in 2011.[v] The 2018 Guidance reminds companies that current SEC disclosure requirements include the obligation to disclose cybersecurity risks and incidents.[vi] The 2018 Guidance also describes certain factors companies should consider when determining whether a cybersecurity risk or incident is material.[vii] These factors include the importance of the compromised information, impact on company operations, and range of harm an incident may cause.[viii] The 2018 Guidance states that companies should provide useful information to investors while cautioning that companies must avoid both overly detailed disclosures that could compromise their cybersecurity efforts and disclosures that are too generic.[ix] The obligations and considerations detailed in the 2018 Guidance are envisioned to fit within a comprehensive compliance program. To that end, companies should have “comprehensive policies and procedures related to cybersecurity” and “assess their compliance regularly.”[x]
In a statement announcing the 2018 Guidance, Chairman Clayton asserted that “the guidance will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information to investors.”[xi] Chairman Stein has indicated that the 2018 Guidance may be the SEC’s first step in addressing cybersecurity issues as it “provides only modest changes to the 2011 staff guidance.”[xii]
While the 2018 Guidance contains sound advice, it also creates difficulties for companies. Most significantly, it may be difficult for companies to find the appropriate balance between disclosing meaningful information and protecting their information systems. To tailor appropriate disclosures, companies will need the assistance of legal counsel and, potentially, other third party service providers. Companies should act immediately to ensure alignment with the 2018 Guidance as cybersecurity is an examination priority of the Office of Compliance Inspections and Examinations for fiscal year 2018.[xiii]
If you have any questions about developing cybersecurity policies or disclosure obligations, please feel free to contact us.