- The U.S. Securities and Exchange Commission (SEC) released, on Feb. 21, 2018, updated guidance regarding public company cybersecurity disclosures. The guidance updates the Commission's 2011 non-binding guidance and reiterates much of the same information. In addition, the 2018 guidance seeks to address items not specifically raised in the 2011 guidance, including concepts pertaining to cyber policies and procedures as well as insider trading in the cyber context.
- The guidance comes on the heels of the SEC's Office of Compliance Inspections and Examinations' (OCIE) release of its 2018 Exam Priorities. As in previous years, the Exam Priorities emphasize cybersecurity as a key focus area for each of OCIE's examination programs.
- Regulated entities would be remiss to fail to prepare for potential cybersecurity exams by both the SEC, the Financial Industry Regulatory Authority (FINRA) or state regulators. Conducting comprehensive cybersecurity program assessments under privilege can help to both prepare organizations for these exams as well as mitigate risks of problematic findings and/or noncompliance.
Following the U.S. Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations' (OCIE) recent release of its 2018 National Exam Program Examination Priorities (Exam Priorities), the SEC continued its cybersecurity oversight efforts by issuing its Commission Statement and Guidance on Public Company Cybersecurity Disclosures (2018 Disclosure Guidance). The 2018 Disclosure Guidance updates the Commission's 2011 non-binding guidance on the topic and reiterates much of the same information. In addition, the 2018 Disclosure Guidance seeks to address items not specifically raised in the 2011 guidance, including concepts pertaining to cyber policies and procedures as well as insider trading in the cyber context.
Updated Guidance on Public Company Cybersecurity Disclosures
In its 2018 Disclosure Guidance, the SEC emphasized the importance of disclosing material cybersecurity risks, even in cases where a company has not yet suffered a cyberattack. The SEC noted that effective disclosure controls and procedures are best accomplished when directors, officers, and other key management personnel are informed about their entity's cyber risks. Below are some of the highlights from the 2018 Disclosure Guidance, which in significant part reminds regulated entities that the federal securities laws may apply to cyber risk, cyber events, and any disclosure(s) or disclosure requirements related thereto:
- Materiality. The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors, including considering the concomitant financial, legal, or reputational consequences of cyber risk or a cyber event. The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available. Importantly, the SEC noted that "an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident." (Emphasis added.)
- Risk Factors. Companies should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among the most significant factors that make investments in the company's securities speculative or risky (as required by Item 503(c) of Regulation S-K and Item 3.D of Form 20-F). Such risks include those that arise in connection with acquisitions.
- Management Discussion and Analysis (MD&A) of Financial Condition and Results of Operations. Costs associated with cybersecurity issues (e.g., the cost of ongoing cybersecurity efforts, including enhancements, costs and other consequences of cybersecurity incidents, and risks of potential cybersecurity incidents) may inform a company's analysis in disclosures pertaining to its financial condition, changes in financial condition, and results of operations pursuant to Item 303 of Regulation S-K and Item 5 of Form 20-F.
- Description of Business. A company must provide appropriate disclosures where cybersecurity incidents or risks materially affect its products, services, relationships with customers or suppliers, or competitive conditions to comply with requirements pursuant to Item 101 of Regulation S-K and Item 4.B of Form 20-F.
- Legal Proceedings. Regulation S-K, Item 103's requirement to disclose information relating to material pending legal proceedings includes any such proceedings that relate to cybersecurity issues.
- Financial Statement Disclosures. The SEC expects companies to timely incorporate into its financial statements information about the financial impacts of a cybersecurity incident (e.g., costs related to investigation, notification, remediation, and litigation, including legal fees, revenue losses, third-party claims, and diminished future cash flows).
- Board Risk Oversight. To the extent cybersecurity risks are material to a company's business, disclosures pursuant to Item 407(h) of Regulation S-K and Item 7 of Schedule 14A should include the nature of the board's role in overseeing the management of those cyber risks.
- Disclosure Controls and Procedures. The SEC emphasized the importance of cybersecurity policies procedures, which is also a key component of OCIE's cybersecurity examination procedures. The SEC focused specifically on the need for effective disclosure controls and procedures to ensure that relevant information regarding cybersecurity risks and incidents is timely reported and escalated to the appropriate personnel to enable senior management to determine disclosure obligations.
- Insider Trading. The SEC identified a topic not previously discussed in its 2011 disclosure guidance, clarifying that information about a company's cybersecurity risks and incidents may constitute material nonpublic information, and directors, officers, and other corporate insiders would violate antifraud provisions if they trade the company's securities in breach of their duty of trust or confidence while in possession of that material nonpublic information. The SEC also posited that companies should consider whether and when it may be appropriate to place restrictions on insider trading while a cyber investigation is ongoing.
- Regulation FD and Selective Disclosure. Cybersecurity matters can also implicate disclosure obligations pursuant to Regulation FD. In particular, companies and persons acting or their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to Regulation FD enumerated persons before disclosing that same information to the public. The SEC made clear that it expects companies to have policies and procedures to ensure that cyber-related disclosures are not made selectively and that any Regulation FD required public disclosure is made simultaneously (for intentional disclosures) or promptly (for non-intentional disclosures).
The 2018 Disclosure Guidance comes on the heels of OCIE's release of its Exam Priorities and is the latest action in the SEC's continued focus on cybersecurity oversight.
Exam Priorities and Enforcement's Initiatives
OCIE consistently has included cyber risk in its list of examination priorities since launching its 2014 Cybersecurity 1 Initiative (2014 Initiative) and 2015 Cybersecurity 2 Initiative (2015 Initiative). Importantly, OCIE increasingly has expanded its examination procedures beyond simply confirming that the examined entity maintains cyber-related written policies, procedures and controls. The examination process also includes testing and validation of those policies, procedures and controls to ensure that regulated entities have implemented and consistently followed policies, procedures and controls intended to secure the institution's electronic infrastructure and information.
In particular, OCIE has focused on the following cybersecurity risk management functions, and OCIE continues to emphasize the same in its 2018 Exam Priorities: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. Given the Commission's persistent attention on these six areas, 2018 examinations may likely focus on deficiencies noted in OCIE's past exams, such as those identified its August 2017 Risk Alert (Risk Alert).
The Risk Alert featured shortcomings identified in OCIE's examinations of registered broker-dealers, investment advisers, and investment companies conducted pursuant to the 2015 Initiative, including examined entities':
- failure to appropriately tailor policies and procedures to the organization
- lack of enforcement of policies and procedures and/or maintenance of policies and procedures that did not reflect actual practice
- use of end-of-life systems, and
- failure to timely remediate identified high-risk vulnerabilities
OCIE's inclusion of cybersecurity in its Exam Priorities is one component of the Commission's broader push to increase oversight and enforcement of cyber-related matters. And, while the SEC historically has leveraged the examination process — in lieu of enforcement actions — as a means to regulate cyber risk, recent actions suggest that more robust cybersecurity enforcement activity may be on the horizon.
Shortly after issuing the Risk Alert, the SEC announced the creation of its first-ever Cyber Unit (within the Division of Enforcement) and thereafter articulated its enforcement initiatives, suggesting that the Cyber Unit will focus on three key types of cases: (1) the use of cyber-related conduct to gain an unlawful market advantage; (2) failures by registered entities to take appropriate steps to safeguard information or ensure system integrity; and (3) failures by public companies to make a cyber-related disclosure.
Notably, if OCIE identifies serious issues during an examination, it may refer deficiencies to the SEC's Division of Enforcement, a self-regulatory organization, state regulatory agency, or others, including criminal authorities, for possible action. While this is not a new development, entities should not lose sight of this during any examination involving cyber risk and cyber matters. Importantly, the SEC has indicated that the Cyber Unit closely coordinates with OCIE.
Despite the lack of publicly-disclosed enforcement activity in the cyber breach context, it is no secret that the SEC steadfastly is concentrating on this area. The Commission continues to make clear its expectations that companies implement a comprehensive cybersecurity program, including procedures and controls designed to ensure compliance with disclosure obligations related to cyber risks and events. While the SEC has not yet promulgated express mandatory disclosure requirements specifically related to cyber risk or cyber matters, it again issued non-binding guidance and has taken several steps to increase cybersecurity oversight in recent months.
In large part, the SEC's Enforcement Division has remained quiet as to pursuing publicly-disclosed enforcement actions based on any failure to disclosure cyber risk or a cyber matter (such as a breach leading to the loss of customer information). However, in light of the SEC's efforts to update its seven-year old guidance on the topic, and based on a review of the Enforcement Division's public statements, it continues to emphasize the potential for doing so. In particular, Division of Enforcement Co-Director Stephanie Avakian noted in late 2017, "We recognize this is a complex area subject to significant judgment, and we are not looking to second-guess reasonable, good faith disclosure decisions, though we can certainly envision a case where enforcement action would be appropriate." The SEC's efforts also complement those of other financial regulatory agencies, such as the recently-enacted New York State Department of Financial Services Cybersecurity Regulations (whose initial compliance certification requirement came due on Feb. 15, 2018).
Regulated entities would be remiss to fail to prepare for potential cybersecurity audits by both the SEC, the Financial Industry Regulatory Authority (FINRA) or state regulators. Conducting comprehensive cybersecurity program assessments under privilege can help to both prepare organizations for these audits as well as to mitigate risks of problematic findings and/or non-compliance. Holland & Knight's Cybersecurity and Privacy Team has extensive experience conducting cybersecurity assessments and counseling clients in the financial services and insurance industries as well as publicly-traded companies and issuers on cyber-related risks, cyber investigations, disclosure obligations, and related regulatory enforcement matters and litigation.