On Wednesday, February 21, 2018, the United States Securities and Exchange Commission (SEC) published cybersecurity risk disclosure guidance (the SEC Guidance) for public companies to assist them in preparing disclosure related to these types of risk and incidents. The SEC Guidance does not propose new rules or rule amendments that would impose new requirements, but rather expresses the SEC’s views within the existing disclosure framework. It is nonetheless important because, as with previous cybersecurity guidance in 2011 (see below), SEC staff can be expected to turn to it when evaluating the adequacy of disclosures.
The SEC Guidance is also important because it places new emphasis on:
- having appropriate cybersecurity policies and procedures in place to disclose material cybersecurity information to investors; and
- preventing insider trading in the context of a cybersecurity incident.
The SEC Guidance reflects statements made by the SEC’s chair Jay Clayton that “cybersecurity is critical to the operations of companies and our market” and recognizes that cybersecurity risk poses a threat to the entire US economy.
This threat has increased since the SEC issued its last interpretive guidance on Cybersecurity in 2011. The 2011 Cybersecurity Guidance outlined the staff’s views on how companies should describe cybersecurity matters and their potential effects under existing disclosure rules. It also commented on the ways in which cybersecurity matters may affect financial statement disclosure. The 2018 Cybersecurity Guidance is similarly motivated towards promoting “clearer and more robust disclosure” by businesses, according to a statement from SEC Chairman Jay Clayton.
Cybersecurity Disclosure Requirements
There can be significant costs for companies experiencing cybersecurity incidents, including remediation costs, additional cybersecurity protection costs, increased insurance costs, opportunity costs from lost revenue, and legal costs arising from either investor actions, litigation, or regulatory investigations by government agencies. These costs can adversely affect a company’s market value and future stock performance. The SEC Guidance therefore recognizes investors have an interest in the disclosure of cybersecurity risks:
Given the frequency, magnitude and cost of cybersecurity incidents, the Commissioner believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
The SEC indicated that it had designed its guidance “to be consistent with the relevant disclosure considerations that arise in connection with any business risk.” The SEC Guidance provides consideration for companies on how to address assessments of materiality, a possible duty to correct or update cybersecurity disclosures, and disclosure concerning board oversight of cybersecurity
The SEC considers information material if there is a substantial likelihood that a reasonable investor would consider the information important when making an investment decision or disclosure of the information would be viewed by a reasonable investor as having significantly altered the “total mix” of information available. Although the disclosure requirements of Regulation S-K and Regulation S-X do not specifically address cybersecurity risk and incidents, cybersecurity risks or incidents could nonetheless be material depending upon their “nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations….[and] on the range of harm that such incidents could cause.” Once a company discloses a cybersecurity risk or incident, it may have a legal duty to correct or update the disclosure.
Making timely and accurate disclosure of cybersecurity information can be a delicate balancing act. Often in the context of a data breach, it can take time to gather all the information necessary to paint an accurate picture of what occurred. Companies need to make a decision on how much information gathering is enough before disclosing to satisfy the timeliness requirement. Importantly, the SEC Guidance clarifies that an ongoing law enforcement investigation, which often takes significant time, is not basis on its own for non-disclosure of a material cybersecurity incident.
Cybersecurity-related disclosure also involves decisions of how much technical information to include. While companies want to give investors an accurate picture of their cybersecurity risk profile, they may not want to alert bad actors to potential opportunities. The SEC Guidance indicates that cybersecurity disclosure should not be so technically detailed that bad actors can use it as a “roadmap” to attack a company’s systems. Management Discussion and Analysis (MD&A) should discuss cybersecurity factors affecting the financial condition of a company such as costs of a cybersecurity incident, insurance and compliance costs, intellectual property loss, and expenses related to ongoing preventative efforts.
The SEC Guidance flags several cybersecurity risk factors which companies should consider in their form 20-F reporting. These include:
- the occurrence of prior cybersecurity incidents, including their severity and frequency
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
The SEC Guidance clarifies that a company experiencing a cybersecurity incident such as a distributed denial of service (DDoS) attack cannot simply disclose the risk such an incident may occur. The company may also need to discuss how the occurrence of the incident affects its broader cybersecurity risk profile. This is significant because mandatory cybersecurity incident reporting requirements are currently a hot topic in many jurisdictions including the United States, European Union, and Canada.
Insider Trading & Cybersecurity
Trading by directors, officers and other corporate insiders while in possession of material nonpublic information about a security, commonly referred to as insider trading, is illegal. The SEC Guidance renews emphasis on the prevention of insider trading in the event of a cybersecurity incident, which could be material nonpublic information. The SEC suggests that that while a company is investigating a cybersecurity incident that has not yet been publicly disclosed, it would be prudent for the company to consider whether to restrict trading by its insiders. This restriction could extend to individuals in IT departments and digital forensics firms who may come across material nonpublic information in the response to a cybersecurity incident.
Implications for Canada
There are several implications of the SEC Guidance which affect Canadian companies. Dual-listed companies should be aware of the SEC Guidance, and may want to update their policies and disclosure procedures accordingly. Canadian companies which are not traded in the United States may also benefit from a review of their cybersecurity disclosure practices. The fast-paced development of the cybersecurity field means that policies and procedures need to be updated on a consistent basis.
Regulators in Canada carefully monitor developments in other jurisdictions and have been active in the cybersecurity space. For example, in October 2017 the Canadian Securities Administrators issued guidance on cybersecurity and social media. While the Canadian regulatory regime is different, it is informed by developments elsewhere and companies may wish to take a closer look at the SEC Guidance when reviewing their policies and practices.