The SEC Releases New Cybersecurity Disclosure Guidance
On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued an interpretive release (the “Guidance”) meant to “assist public companies in preparing disclosures about cybersecurity risks and incidents.”
The Guidance begins by acknowledging the grave threats posed by cybersecurity incidents, including both “unintentional events” and “deliberate attacks.”
With this background, the SEC demands that “public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”
The Guidance reminds companies of their disclosure obligations under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended, and echoes the staff’s 2011 guidance in reminding companies to consider the materiality of cybersecurity issues when preparing disclosures in SEC filings. The Guidance makes it clear that, depending on the particular circumstances, companies may have an obligation to disclose cybersecurity risks and incidents as part of their ongoing disclosure obligations. Some circumstances that would most likely come within the ambit of prescribed disclosure requirements include the following:
Material risks associated with cybersecurity and cybersecurity incidents, including those “that arise in connection with acquisitions”;
Management’s views regarding how the “cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents” have affected and will affect the company’s financial condition and results of operations;
Incidents or risks that materially affect a company’s “products, services, relationships with customers or suppliers, or competitive conditions”;
Material pending legal proceedings related to cybersecurity issues;
Cybersecurity incidents and resultant risks that may affect a company’s financial statements (including costs related to investigation, remediation and litigation, losses in revenue, resulting legal claims, and diminished future cash flows); and
The role of the board of directors in overseeing and managing cybersecurity risks when such risks are material to the company’s business.
The Guidance reminds companies that, in addition to considering their cybersecurity-related disclosure obligations in the context of specific disclosure requirements, they must also disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.”
The concept of “materiality” presents a nebulous directive for cybersecurity-related disclosure requirements, but the Guidance directs companies to consider the nature, extent, and potential reputational and financial harm in deciding whether to make a public disclosure in addition to the likelihood of legal or regulatory investigations or actions, and the occurrence of any prior cybersecurity incidents.
Disclosure Controls and Procedures
The Guidance urges companies to ensure that comprehensive cybersecurity policies and procedures are in place and to regularly evaluate their compliance with such policies and procedures as well as the sufficiency of their disclosure controls and procedures to ensure timely disclosure of cybersecurity-related matters. The Guidance states, “Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”
Other Areas of Consideration
While the bulk of the Guidance reaffirms directives established in the 2011 cybersecurity disclosure guidance, the SEC acknowledged that it specifically covers new ground with regards to insider trading considerations and selective disclosure requirements.
The Guidance stresses that “information about a company’s cybersecurity risks and incidents may be material nonpublic information”
Selective Disclosure Requirements
The Guidance clarifies that companies should enact policies and procedures to prevent selective disclosure of material nonpublic information related to cybersecurity risks and incidents: “Under Regulation FD, ‘when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.’”
Overall, the Guidance does not create overly burdensome new requirements. Companies with reasonable policies and procedures in place most likely will not need to adopt new policies and procedures based on the Guidance. However, it remains to be seen whether issuance of the Guidance is a prelude to stricter SEC enforcement when it comes to disclosures around cybersecurity risks and incidents. In recent remarks, FBI Director Christopher Wray said, “We don't view it as our responsibility when companies share information with us to turn around and share that information with some of those other agencies,” and further remarked that the FBI “[treats] victim companies as victims.”
In the meantime, it is recommended that companies take this opportunity to review their disclosure controls and procedures to ensure that they sufficiently address cybersecurity disclosure, as well as their existing policies and procedures to ensure that insider trading and selective disclosure of material nonpublic information are adequately prohibited. Furthermore, companies—especially boards of directors—should review their cybersecurity risk management policies to ensure that they have a thorough understanding of the cybersecurity risks posed and the policies in place that address such risks.