The Securities and Exchange Commission (“SEC”) voted unanimously to approve a statement and interpretive guidance to assist the public in preparing disclosures about cybersecurity risks and incidents on February 21, 2018. The SEC’s February 2018 guidance expands upon previous guidance provided in October of 2011 by the SEC’s Division of Corporate Finance which addressed the Division’s views regarding disclosure obligations relating to cyber risks and incidents. In response to the October 2011 guidance, many companies included additional cybersecurity disclosures in the form of risk factors. The SEC in response to “increasing significance of cyber security incidents” has determined it is necessary to provide companies with further guidance on managing cybersecurity risks and disclosures of such risks.
The 2018 guidance consists of two main topics that were not developed as part of the 2011 guidance. First, the updated guidance emphasizes the criticality of establishing and maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to “establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.” Second, the guidance is intended to remind companies of the “applicable insider trading prohibitions under the general antifraud provisions of federal securities laws and of their obligations to refrain from making selective disclosures.”
Commission’s Guidance and Overview of the Rules Requiring Disclosure of Cybersecurity Issues
The revised 2018 guidance provides a summation of the SEC’s rules regarding disclosure obligations for materiality of risk. The SEC guides companies to consider the materiality of cybersecurity risks and incidents in preparation of registration statements under the Securities Act of 1933 and the Securities and Exchange Act of 1934 (“Exchange Act”) and periodic reporting under the Exchange Act. Although the disclosure requirements of Regulation S-K and Regulation S-X do not specifically refer to cybersecurity, there are other reporting requirements that could trigger and impose a requirement to disclose cybersecurity risks and incidents. Companies filing periodic reports including annual reporting as part of the company’s Form 10-K file are required to disclose specified information regarding their business operations, risk factors, legal proceedings, management’s discussion and analysis (“MD&A”) of financial condition and results of operations, financial statements, disclosure controls and procedures and corporate governance. The SEC’s guidance says that “companies must provide timely and ongoing information in these periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.” The guidance also makes it clear that Securities Act and Exchange Act registration statements must disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. The SEC recommends that companies consider the adequacy of their cybersecurity related disclosures among other things in the context of Sections 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act. Moreover, the SEC as part of this guidance reminds companies they are required to disclose “further material information if any as may be necessary to make the required statements in light of the circumstances under which they are made, not misleading.” The SEC considers “omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available."
Disclosure Analysis and Materiality of Cybersecurity Risk:
The SEC’s guidance offers explanation on how to best identify disclosure obligations concerning cybersecurity risks and incidents. According to the guidance, companies should generally weigh the potential materiality of any identified risks and in the case of cyber incidents the importance of any compromised information and the impact of the incident on the company’s operations. Factors to be considered with respect to materiality involve the nature of the risks, the extent, potential magnitude, and effect on the business and scope of operations. Materiality may also depend on the severity of the harm to the company’s reputation, financial performance, and customer and vendor relationships as well as the possibility of litigation or regulatory investigations.
The guidance explains that companies are not required to provide a road map of disclosures that could compromise existing cybersecurity efforts or enable attackers to take advantage of such disclosure, i.e. specific technical information about cybersecurity systems, related networks and devices or potential system vulnerabilities. Additionally, the guidance makes clear that the SEC understands that some material facts may not be available at the time of initial disclosures, but that ongoing internal investigations or cooperation with law enforcement as part of such investigations will not on its own provide a basis for avoiding disclosures of a material cybersecurity incident. Lastly, the guidance reminds companies of a duty to correct prior disclosures if later determined untrue or material facts were omitted at the time the statement was made. The SEC guidance recommends companies consider whether they should revisit or refresh previous disclosures during the investigation of a cybersecurity incident.
Summary of Risk Factors:
Item 503(c) of the Regulation S-K and Item 3.D of Form 20-F require companies to disclosure the most significant factors that make investments in the companies speculative or risky. The SEC guidance recommends companies consider the following in evaluating cyber security risk factors:
- the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks’;
- the costs associated with maintaining cybersecurity protections, including if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Management Discussion and Analysis of Financial Condition and Results of Operations
In consideration of disclosures relevant for MD&A of financial condition and results of operations, companies are required under Item 303 of Regulation S-K and Item 5 of Form 20-F to discuss a company’s financial condition and results of operations. The SEC guidance puts costs associated with ongoing efforts to manage cybersecurity risks and incidents in the context of the SEC’s current requirements surrounding these specific disclosures. Factors that companies should consider in the context of these disclosures include the costs associated with loss of intellectual property, costs related to managing the incident, as well as costs associated with prevention, insurance, responding to litigation, regulatory investigations, preparing and complying with proposed legislation, remediation efforts, addressing reputational harm and loss of competitive advantage.
Additionally, the guidance also addresses the necessity of companies making disclosures when such disclosures could directly impact the company’s financial statements. To the extent cybersecurity incidents and the resulting risks may affect a company’s financial statements, the SEC expects that a company’s financial reporting and control systems would be designed to provide reasonable assurances that information about the range and magnitude of the financial impact of a cybersecurity incident would be incorporated into such reporting. The SEC provides the following examples associated with a cybersecurity incident that could impact financial reporting:
- expenses related to investigation; breach notification, remediation and litigation, including the costs of legal and other professional services;
- loss of revenue, providing customers with incentives or loss or customer relationship asset value;
- claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premiums; and
- diminished future cash flows, impairment of intellectual, intangible or other assets, recognition of liabilities; or increased financing costs.
Board Risk Oversight
Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclosure the extent of its board of director’s role in the risk oversight of the company. The SEC guidance makes it clear that to the “extent cybersecurity risks are material to a company’s business we believe this discussion should include the nature of the board’s role in overseeing management of that risk.” Additionally, the guidance makes it clear that “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
Policies and Procedures
Under Exchange Act Rules 13a-15 and 15-15, companies must maintain disclosure controls and procedures and management must evaluate their effectiveness. The rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) recorded, processed, summarized and reported, within the time periods specified in the SEC’s rules and forms and (2) accumulated and communicated to the company’s management…as appropriate to allow timely decisions regarding required disclosures. The guidance notes that cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management include compliance with federal securities laws. The guidance encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures related to a cybersecurity disclosure. The guidance recommends that companies assess whether they have sufficient controls and procedures in place to ensure that relevant information about cybersecurity risks is processed and reported to appropriate personnel, including up the corporate ladder to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures to prohibit directors, officers and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
The SEC guidance encourages companies to consider how their code of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents. Moreover, the guidance makes it clear that while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether it is appropriate to implement restrictions on insider trading of securities. Finally, the guidance cautions companies to consider how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.
Regulation FD and Selective Disclosure
Finally, the SEC’s guidance makes clear that companies are expected to have policies and procedures designed to ensure that any disclosures of material nonpublic information related to cybersecurity are in compliance with Regulation FD. Under Regulation FD “when an issuer or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of this information.” The issue of concern is the selective disclosure of material nonpublic information to certain persons prior to making disclosures of the same material to the general public. The bottom line from the SEC’s perspective is that companies and persons acting on their behalf should not selectively disclosure material nonpublic information regarding cybersecurity incidents to Regulation FD enumerated persons before making full disclosures of that same information to the general public. The SEC’s expectation is that these policies and procedures ensure that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively and that any Regulation FD required public disclosure is made simultaneously and is compliant with Regulation FD.
Companies should strongly consider consulting with their securities counsel and a qualified cybersecurity counsel to review this guidance and consider the following:
- Conduct a risk assessment to evaluate cybersecurity risks subject to the attorney client privileged in order to evaluate past disclosures and in consideration of future disclosure.
- Determine if past cybersecurity incidents warrant new or updated disclosures in light of this guidance.
- Immediately review and update incident response plans to address this guidance and ensure pre-breach and post breach planning confirm to the regulatory requirements referenced in this guidance.
- Examine existing policies and procedures and where deficient immediately adopt new policies and procedures to ensure compliance with this guidance and existing regulatory requirements.
- Conduct awareness training for the board of directors and senior management regarding this guidance and specifically on the topic of insider trading.
- Prepare in advance through the use of table top exercises to access incident response and incorporation of the newly issued guidance into the response.