On February 21, 2018, the Securities and Exchange Commission unanimously approved interpretive guidance on public company cybersecurity disclosures to assist public companies in preparing disclosures about cybersecurity risks and incidents. In a statement accompanying the guidance, SEC Chairman Jay Clayton stated his belief that "providing the [SEC]'s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors."
The guidance supplements and reinforces the guidance issued by the SEC staff in 2011 and may signal that the SEC will be placing a heavier emphasis on the cybersecurity disclosure obligations of public companies and the related disclosure controls, policies and procedures.
Although the new guidance does not change the 2011 guidance, it addresses two additional topics not developed in the 2011 guidance:
- Cybersecurity Risk Management Policies and Procedures. Companies are encouraged to adopt and regularly update comprehensive cybersecurity risk management policies and procedures.Companies should consider whether existing disclosure controls and procedures appropriately provide for the free flow of information to ensure that the right personnel are able to adequately assess disclosure obligations following a cybersecurity incident. The new guidance also highlights that companies should consider disclosing the nature of the board’s role in overseeing cybersecurity risk management.
- Relationship Between Cybersecurity Risk and Insider Trading. Companies should consider adopting and implementing policies and procedures that prevent trading based on material non-public information relating to a cybersecurity incident. Companies should consider whether existing insider trading policies and codes of conduct ensure adherence with applicable insider trading laws following a cybersecurity incident.
Disclosure Requirements and Materiality
The new guidance acknowledges that current disclosure requirements do not specifically refer to cybersecurity risks and incidents. However, the guidance emphasizes that "a number of the requirements impose an obligation to disclose such risks and incidents depending on a company's particular circumstances." The guidance notes that under existing regulations, a company is required to disclose "such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading."
In determining their disclosure obligations regarding cybersecurity risks and incidents, companies should generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company's operations. The SEC noted, for example, that compromised information might include personally identifiable information, trade secrets or other confidential business information, and the materiality determination may depend on the nature of the company’s business as well as the scope of the compromised information.
The guidance also stresses that companies "should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors." However, a company should not make such disclosures so detailed that a compromise of its cybersecurity efforts could result - for example, by providing a "roadmap" for those who seek to penetrate a company's security protections. The guidance identifies sections of filings where the disclosure of matters relating to cybersecurity may be warranted and provides some discussion and examples of the types of disclosure that should be considered such as:
- Risk factors: Companies should consider, among other issues:
- the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company's ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company's business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm; existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
The SEC also notes that to meet their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events to provide appropriate context. For example, if a company previously experienced a material denial-of-service attack, the SEC notes that it likely would be insufficient for the company to disclose that risk without discussing the prior occurrence of such an incident and its consequences.
- MD&A: Companies are required to discuss their financial condition, changes in financial condition and results of operations, including known trends or uncertainties that are reasonably likely to have a material effect on results of operations, liquidity or financial condition. Companies should consider discussing the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents.
- Description of business: Companies should consider if a cybersecurity incident or risk has materially affected a company's products, services, relationships with customers or suppliers, or competitive conditions and, if yes, the company must provide appropriate disclosure.
- Legal proceedings: Companies should consider disclosing cybersecurity incidents involving the theft of customer information that results in material litigation.
- Financial statement disclosures: The SEC expects that a company's financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.
- Board risk oversight: If cybersecurity risks are material to a company's business, companies should consider disclosing the nature of the board's role in overseeing the management of that risk.
Policies and Procedures
The guidance also discusses disclosure processes and protections against insider trading. The guidance notes that information about a registrant's cybersecurity risks and incidents may be material non-public information. Accordingly, corporate insiders would violate antifraud provisions of the federal securities laws if they trade the company's securities while in the possession of such information. The SEC recommends that companies consider implementing blackout periods prior to public disclosure of material cybersecurity events. The guidance also reminds companies that selective disclosure of a material cybersecurity event is prohibited by Regulation FD. The SEC recommends disclosing material cybersecurity matters on a Form 8-K or Form 6-K to ensure compliance with Regulation FD.
Additional Commentary from SEC Commissioners
On February 21, 2018, SEC Commissioner Kara M. Stein issued a public statement on the guidance wherein she expressed disappointment with the SEC's limited action. For example, she notes that the SEC could have sought notice and comment on proposed rules to address improvements in the board's risk management framework related to cybersecurity risks, to establish minimum standards to protect the personally identifiable information of investors, to require timely public notice to investors following a cyberattack (for example, on Form 8-K) and to implement cybersecurity-related policies and procedures beyond disclosure.
On March 15, 2018, SEC Commissioner Robert J. Jackson Jr. issued a public statement on the guidance. Commissioner Jackson noted that he "reluctantly" agreed with the Guidance, stating that he was concerned that it did not go far enough and did not provide corporate counsel with a sufficiently transparent listing of disclosure obligations following a cybersecurity incident. He also expressed that regulators "can and must do more" on the issue of cybersecurity and that the new guidance "essentially reiterates years-old staff-level views on this issue...but economists of all stripes agree that much more needs to be done."
Although these two Commissioners' comments were their own and do not represent the views of the SEC, it seems unlikely that the new guidance is the last that companies will hear from the SEC on this increasingly important topic.