Last week, as previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks. The release of this guidance underscores the SEC’s intent to prioritize cybersecurity compliance in 2018. The SEC will likely bring action against boilerplate cybersecurity disclosures that are not specifically tailored to address unique industry challenges. Companies should review and amend current policies and procedures to ensure legal compliance with the updated guidance and mitigate the risk of regulatory enforcement action. This includes companies that are subject to material cybersecurity risks but have not yet suffered a cyber-attack.
Prior SEC Cybersecurity Initiatives
Historically, the SEC has focused its cybersecurity efforts on protecting consumer information by conducting thorough risk assessments and evaluating vulnerabilities. For example, since 2014, the Office of Compliance Inspections and Examinations (OCIE) has made cybersecurity a top priority by reviewing the effectiveness of various cybersecurity programs. In 2015, the SEC announced enforcement actions against companies for lax cybersecurity policies that failed to safeguard consumer information. And in 2017 during the WannaCry Ransomware Attack, the SEC issued an alert to broker-dealers, investment advisers, and investment companies warning them and reminding them to address cybersecurity risks. Similarly, the Financial Industry Regulatory Authority (FINRA) continues to focus on cybersecurity as a top priority and recently, through its exam findings report, detailed effective cybersecurity program practices.
Cybersecurity Policies and Procedures
The release of updated guidance makes it clear that going forward the SEC will more closely examine cybersecurity risk disclosure policies and procedures and bring action against those companies that fail to comply with the guidance. In addition to expanding upon topics from the 2011 guidance, such as associated costs and the likelihood of litigation, the 2018 guidance addresses two new areas: (1) cybersecurity policies and procedures and (2) cybersecurity insider trading prohibitions. The guidance emphasizes the importance of establishing policies and procedures that manage the disclosure of “material cybersecurity risks and incidents in a timely fashion.”
The guidance states that when determining disclosure obligations, companies should avoid “generic cybersecurity-related disclosures” and consider:
- the potential materiality of any identified risk;
- the importance of any compromised information; and
- the impact of the incident on the company’s operations.
In order to determine the “materiality” of a cybersecurity risk, companies should analyze:
- the nature, extent, and potential magnitude of the risk; and
- the potential harm that could occur including reputational harm, financial challenges, customer and vendor relationships, as well as possible litigation or regulatory actions.
Although the SEC did not mention any specific data incidents, recent breaches likely played a part in issuing new guidance. The SEC used the new guidance as a reminder to adopt policies and procedures that prevent corporate insiders from trading on material nonpublic information regarding a cyber incident before public disclosure of the incident. This is not the first time the SEC has scrutinized insider trading. In 2015 the SEC announced a $30 million settlement with Ukrainian-based Jaspen Capital Partners Limited and CEO Andriy Supranonok over allegations that they made financial gains by trading on non-public corporate news releases that were hacked from newswire services. The SEC continues focusing on insider trading in the 2018 guidance stating that when there is “selective disclosure of material nonpublic information related to cybersecurity” companies must ensure the material information is disclosed to all investors at the same time and therefore compliant with Regulation FD. The guidance goes on to state that companies should also avoid the mere appearance of improper trading that may occur “during the period following an incident and prior to the dissemination of disclosure.”
SEC Cybersecurity Certification
In addition to insider trading, the 2018 guidance states that disclosure controls and procedures should ensure that relevant cybersecurity risk and incident information is reported to management so that they may make required certifications and disclosure decisions. The inclusion of this concept is unsurprising given the 2014 speech by SEC Commissioner Luis A. Aguilar, in which he said that “ . . . ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” The 2018 guidance expands on that point and specifically references different disclosure certifications that executive management should consider when assessing the adequacy of procedures for identifying cybersecurity risks. For example, certifications made pursuant to the Exchange Act Rules 13a-14 and 15d-14 as well as Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F are made on a quarterly and annually basis by upper management and require certification regarding the design and effectiveness of disclosure controls and procedures. When certifying cybersecurity effectiveness pursuant to the aforementioned, the guidance states that certifications and disclosures should consider:
- if there are sufficient controls and procedures for identifying cybersecurity risks and incidents;
- if there are sufficient controls and procedures for assessing and analyzing the impact of the incidents; and
- if cybersecurity risks or incidents threaten “a company’s ability to record, process, summarize, and report” required information, then management should determine if “there are deficiencies in disclosure controls and procedures that would render them ineffective.”
As the number of cyber-attacks has increased, so has the SEC’s interest in comprehensively regulating cyber risks. If your company has suffered a small attack that does not meet the criteria for materiality, the incident still may need to be reported to the SEC because the company may be a target for high profile hackers or state agents. Further, if your company suffers a cyber-attack of any size, the guidance states that you may need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events. It goes on to provide that “past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure.” But even if your company has not suffered a cyber-attack, the SEC expects that your company has adopted and implemented written cybersecurity policies and procedures that protect consumer information, limit insider trading and properly manage cybersecurity risk disclosure.
As noted in our previous post, in contrast to the Democratic commissioners, Chairman Jay Clayton, stated that he believes the guidance will “promote clearer and more robust disclosure” and that he “urge[s] public companies to examine their controls and procedures.” For example, when disclosing significant risk factors pursuant to Regulation S-K and Form 20-F, the guidance suggests that companies should consider the following:
- the occurrence of prior cybersecurity incidents, including severity and frequency;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
- the costs associated with maintaining cybersecurity protections; and
- existing or pending laws and regulations that may affect the requirements.
While the guidance does not specifically propose new cybersecurity regulations, it does provide a new focus for the agency as well as additional detail regarding previously articulated issues. Company counsel and executive management should closely examine their disclosures, as well as their overall cybersecurity risk disclosure policies and procedures, to determine if they are compliant with this new SEC guidance.