Hoping to help covered entities, the Securities and Exchange Commission (SEC) released an update on cybersecurity while New York’s Department of Financial Services (DFS) published guidance for licensed virtual currency businesses in the state.

What happened

In an effort to provide assistance to public companies when preparing disclosures about cybersecurity risks and incidents, the commissioners of the SEC unanimously voted to publish new guidance.

The document updates and reinforces guidance issued by the agency in October 2011, noting that cybersecurity poses a “grave threat” that has increased in both risk and frequency. Incidents can result from unintentional events or deliberate attacks by insiders or third parties, the SEC said.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack,” according to the guidance.

Of critical importance are disclosure controls and procedures that provide an appropriate method of discerning the impact such matters may have on the company and its business, financial condition and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents, the SEC said. Public companies also need policies and procedures in place to guard against directors, officers and other insiders trading securities while in possession of material nonpublic information.

In addition to considering the materiality of cybersecurity risks and incidents when preparing the disclosures for statements required by the Securities Act, the Securities Exchange Act, as well as periodic and current reports, the SEC reminded companies that they are also required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.”

What makes a cybersecurity issue material? Companies should “generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations,” according to the guidance. “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.”

Companies should not make detailed disclosures that could compromise their cybersecurity efforts, but the SEC expects disclosures of risks and incidents that are material to investors, including financial, legal or reputational consequences. The agency also recognized that time may be required to discern the implications of an incident and that cooperation with law enforcement may affect the scope of disclosure. However, an ongoing or internal investigation does not on its own provide a basis for avoiding disclosures of a material cybersecurity incident, the SEC made clear.

“Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk,” the agency wrote.

Covered entities may also have a duty to correct prior disclosures that it determines were untrue at the time they were made as well as a duty to update disclosures that become materially inaccurate after being made. Disclosures should be tailored to the particular risk and incident of the public company, the SEC said, in a “company-by-company approach.”

Companies may need to disclose previous or ongoing cybersecurity incidents in order to place a discussion of these risks in the appropriate context, the guidance explained. For example, if a company previously experienced a denial-of-service attack, “it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur,” the SEC said. “Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations.”

To effectuate the necessary disclosures, the guidance emphasized the importance of cybersecurity risk management policies and procedures. “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents,” the SEC advised.

Policies and procedures should not be limited to specifically required disclosures, but be broad enough to encompass the timely collection and evaluation of information potentially subject to required disclosure, the guidance noted. In addition, the SEC cautioned companies that they, as well as their corporate insiders, must be mindful of insider trading concerns that may arise in connection with a cybersecurity incident. In particular, the SEC noted that insiders may violate applicable law if they trade on a company’s securities while in possession of material nonpublic information regarding a cybersecurity risk or incident.

The DFS also took the time to provide guidance to covered entities, specifically the virtual currency (VC) companies licensed in New York and concerns about fraud, particularly market manipulation.

“VC Entities are required to implement measures designed to effectively detect, prevent, and respond to fraud, attempted fraud, and similar wrongdoing,” DFS wrote. “[M]arket manipulation is a form of wrongdoing about which VC Entities must be especially vigilant, given that such manipulation presents serious risks both to consumers and to the safety and soundness of financial services institutions.”

Fraud can take many forms, may come from a variety of sources, and may or may not involve criminal activity, the regulator said. A customer might misuse a virtual currency exchange service in an attempt to wrongfully manipulate the price of a virtual currency, or an employee might wrongfully act on insider information regarding that entity’s plans to expand or curtail its services.

“Because fraud and similar wrongdoing can take many forms, effective measures to detect, prevent and respond to such activity will also vary,” the DFS said. “The range of measures implemented by a particular VC Entity to combat fraud and similar wrongdoing must be determined through diligent evaluation of the particular risks faced by that VC Entity.”

At a minimum, such measures must include a written policy that identifies and assesses the full range of fraud-related and similar risk areas (including market manipulation, if applicable); provides effective procedures and controls to protect against identified risks; allocates responsibility for monitoring risks; and provides for periodic evaluation and revision of the procedures, controls and monitoring mechanisms in order to ensure continuing effectiveness, including continuing compliance with all applicable laws and regulations.

As part of these policies and procedures, covered entities must provide for the effective investigation of fraud and other wrongdoing—whether suspected or actual, the DFS said.

“In addition, immediately upon the discovery of any wrongdoing, a VC Entity must submit to the Department a report stating all pertinent details known at the time of the report,” the DFS wrote. Further reports of any material developments must also be provided, in some instances within 48 hours, the regulator said, with records maintained of each incident of wrongdoing.

To read the SEC guidance, click here.

To read the DFS guidance, click here.

Why it matters

The SEC’s cybersecurity guidance confirms the SEC’s focus on this important disclosure area and general concerns from the agency about the risks posed to investors arising from cybersecurity incidents. It also serves as a warning to covered entities that the agency is keeping a close eye on cybersecurity, with the guidance cautioning that the SEC “continues to monitor cybersecurity disclosures carefully.” The DFS directed virtual currency companies to take the necessary steps to guard against fraud and be extra vigilant about market manipulation. “By these actions, the market can evolve with strong regulatory supervision,” explained DFS Superintendent Maria T. Vullo.