On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures. The SEC previously addressed this topic in 2011 Disclosure Guidance: Topic No. 2. According to SEC Chairman, Jay Clayton, the new interpretive guidance “reinforces and expands” the Division’s 2011 guidance and “addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures.” In connection with the release of the new guidance, SEC Chairman has asked the Division of Corporation Finance to continue to “carefully monitor cybersecurity disclosures” as part of their review process, which is likely to lead to more SEC comments on cybersecurity disclosures.
The 2018 interpretive guidance provides a comprehensive overview of the SEC’s position on cybersecurity issues faced by public companies. In addition to reminders about cybersecurity disclosure touchpoints (i.e., risk factors, management’s discussion and analysis of financial condition and results of operations, description of business, legal proceedings and financial statements), which are largely the same as disclosure reminders included in the 2011 guidance, the 2018 release makes it clear that the SEC places great emphasis on cybersecurity risk management policies and procedures and considers them to be “key elements of enterprise-wide risk management.”
In light of the new SEC guidance, public companies should:
- re-evaluate the process that the company’s board of directors uses to discharge its responsibility for cybersecurity risk oversight;
- review the company’s policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures; and
- consider whether the company’s cybersecurity risk factor and other disclosures need to be refreshed.
Board’s Responsibility for Cybersecurity Risk Oversight. Companies should review their cybersecurity risk management program and evaluate how the board of directors “engages with management on cybersecurity issues” to discharge its responsibility for cybersecurity risk oversight. The 2018 release states that, to the extent cybersecurity risks are material to a company’s business, the proxy statement discussion of the board’s role in the risk oversight of the company should include “the nature of the board’s role in overseeing the management of that risk.” Companies should also review their disclosures related to board risk oversight to determine whether such disclosures should be expanded to address the board’s responsibility for cybersecurity risk oversight.
Effective Disclosure Controls and Procedures. Companies should evaluate whether their controls and procedures include the protocols that will enable them to: “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” The SEC’s new guidance made it clear that (i) CEO’s and CFO’s certifications regarding the design and effectiveness of the company’s disclosure controls and procedures and (ii) disclosures regarding the companies’ conclusions on the effectiveness of their disclosure controls and procedures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
Application of Insider Trading Prohibition to Cybersecurity Risks and Incidents. Companies should review their insider trading policies to make sure that the company has appropriate policies and procedures in place to prevent directors, officers, and other corporate insiders from trading in the company’s securities on the basis of material nonpublic information about its cybersecurity risks and incidents, prior to public disclosure of such risks or incidents. The SEC release suggested that “while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”
Selective Disclosures about Cybersecurity Risks and Incidents. Companies should review their Regulation FD policies and procedures to make sure that that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively in violation of Regulation FD. The SEC release states that companies and persons acting or their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents in violation of Regulation FD before disclosing that same information to the public.
Prior Cybersecurity Disclosures and Materiality Determinations. Companies should consider whether they need to “revisit or refresh” previous cybersecurity disclosures. The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors. The SEC clarified that the materiality of cybersecurity risks or incidents generally depends upon: (i) the nature, extent, and potential magnitude of cybersecurity risks or incidents (for example, whether compromised information includes personally identifiable information, trade secrets or other confidential business information); as well as (ii) the range of harm that such cybersecurity incidents could cause (for example, harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities).
Although the SEC recognizes that a company may need time to “discern the implications of a cybersecurity incident,” and that ongoing internal and law enforcement investigation of a cybersecurity incident may be lengthy and may affect the scope of disclosure regarding the incident, the SEC believes that an ongoing internal or external investigation “would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” However, the SEC stated in the release that it does not expect companies to publicly disclose “specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”