On Feb. 20, 2018, the Securities and Exchange Commission approved the issuance of a statement and interpretive guidance related to cybersecurity — the first such statement by the SEC in almost seven years.
SEC Chairman Jay Clayton, in announcing the issuance of the statement, said he believed the new guidance would “promote clearer and more robust disclosure by companies about cybersecurity risks and incidents,” although the SEC’s two Democratic members expressed concern that the new guidance did not go far enough. These commissioners voted in favor of the unanimously approved guidance, but issued separate statements calling for stronger action, including, in the case of Commissioner Kara Stein, the adoption of new rules explicitly addressing cybersecurity by, for example, making the occurrence of a cyberattack a mandatory Form 8-K reporting event or requiring public companies to develop and implement cybersecurity-related policies and procedures.
The new interpretive guidance instead states the SEC’s views about disclosure of cybersecurity risks and incidents under existing laws and rules, addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, and discusses insider trading prohibitions and Regulation FD. Like the prior guidance released by the SEC’s Division of Corporation Finance in 2011, the new guidance reminds companies of the ways in which the SEC’s rules and forms already require disclosure of material cybersecurity incidents and risks — namely, as a result of rules requiring discussions of risk factors, management’s discussion and analysis of financial condition and results of operations, a company’s business, legal proceedings, financial statements, and board risk oversight.
The new guidance also encourages companies to consider cybersecurity in the context of the disclosure controls and procedures required under the Sarbanes-Oxley Act. That is, companies should consider whether their disclosure controls and procedures will properly record, process, summarize and report information related to cybersecurity risks and incidents required to be publicly disclosed. These controls, the SEC stated, should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact, evaluate the significance of such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.
Finally, in addition to the topics addressed by the 2011 guidance, the SEC discussed cybersecurity in the context of insider trading and selective disclosure rules (Regulation FD). The guidance specifically noted that information about a company’s cybersecurity risks and incidents may be material nonpublic information, and accordingly, trading by corporate insiders on the basis of such information would be prohibited by insider trading rules.
Additionally, the SEC encouraged companies to consider imposing trading blackouts while investigating and assessing significant cybersecurity incidents and determining their materiality. The commission also cautioned companies to ensure that they don’t selectively disclose information about cybersecurity risks or incidents when such information is not yet public to investment professionals or other investors who may trade on the information in violation of Regulation FD.