Cybersecurity Disclosures: A 2018 Priority For Public Companies

A. Blake Cooper, Olivia Crellin
Snell & Wilmer
Contact
LinkedIn
Facebook
X
Send
Embed

Snell & Wilmer

Dear clients and friends,

For this edition of the Corporate Communicator, we summarize key considerations of an interpretative release from the SEC about the SEC’s views on companies’ disclosure obligations relating to cybersecurity risks and incidents.

Very truly yours,

Snell & Wilmer
Corporate & Securities Group

In the first half of 2018, the Securities and Exchange Commission (the “SEC”) has sent a warning call to public companies: cybersecurity is now a board-level issue regardless of whether or not a security breach has occurred. The SEC later punctuated this message by initiating against Yahoo! (now Altaba) its first-ever enforcement action for failing to report a cybersecurity incident.

Around this same time, on February 21, 2018, the SEC issued an interpretive release making explicit its position that cybersecurity risks and incidents can be material issues requiring disclosure alongside more “traditional” events triggering reporting obligations. The SEC’s recent interpretive guidance expands upon its prior 2011 guidance from the Division of Corporation Finance recommending disclosure of cyber-related matters.

In the new release, the SEC emphasized that companies should consider whether material cybersecurity risks and incidents should be disclosed in registration statements, periodic reports and other filings as part of the disclosure of risk factors, management’s discussion and analysis, descriptions of the company’s business and legal proceedings, and financial statements. The SEC explained that the test for materiality for cybersecurity risks and breaches is the same facts-and-circumstances analysis applicable in other contexts: whether there is a substantial likelihood that a reasonable investor would consider such information important in making an investment decision. In making these determinations, companies should evaluate the potential magnitude and range of harm that such an incident could cause to the company and its investors. In addition, the SEC reminded public companies that new cybersecurity incidents may require companies to correct and update prior filings that were true at the time of their publication, but which have become materially inaccurate. This would include, for example, revising a risk factor to take into account actual incidents, rather than vague reference that a cybersecurity breach “might” occur in the future.

Disclosure Controls and Procedures; Board Risk Oversight

The SEC makes clear in its new release that disclosure controls and procedures need to include controls and procedures to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make timely disclosure decisions about the impact on the company’s business. In this regard, the SEC suggested that effective disclosure controls and procedures should provide for open communications between technical experts and disclosure advisors.

While acknowledging that companies may need time to assess and analyze cybersecurity incidents, the SEC stated that such response periods and demands do not necessarily allow companies to delay disclosure of a material cybersecurity incident until such time that it has been addressed and contained.

Relating to risk oversight, the SEC reminded companies that they must include a description of how the board administers its risk oversight function. Relating to this disclosure obligation, the SEC stated that to the extent cybersecurity risks are material to a company’s business, it believes this risk oversight discussion should cover the nature of the board’s role in overseeing the management of cybersecurity risks.

Insider Trading

The SEC’s release specifically stated that knowledge of cyber breaches can constitute material nonpublic information, thereby subjecting insiders who trade on that information to insider trading liability. The release encourages public companies to adjust their insider trading policies to specifically address cybersecurity information.

Yahoo!: The New Poster Child

Prior to its enforcement action against Altaba Inc. (formerly Yahoo! Inc.), the SEC had not brought a case for failure to disclose a cybersecurity incident. As its 2018 statement was released shortly after its settlement of the Altaba action, some experts believe that the SEC was waiting for a dramatic cybersecurity incident in order to capture the attention of public companies.

On April 24, 2018, the SEC announced a settlement with Altaba under which Altaba agreed to pay $35 million and initiate remedial actions to resolve the SEC’s claim that it had violated securities laws by failing to disclose a major security breach for nearly two years.

In December 2014, Altaba’s information security team discovered that Russian cyber hackers had stolen its most valuable customer information including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of accountholders. Although the breach was reported internally to senior management and its legal department, Altaba did not publicly disclose the breach until 2016 as a part of the disclosure process in its acquisition by Verizon Communications, Inc.

The SEC’s order focused on: (i) Altaba’s misleading risk factor, noting that generally identifying the potential of future data breaches is misleading when a material breach has already occurred; (ii) the failure to disclose the consequences of the data breach as a known trend and uncertainty in MD&A; and (iii) the company’s misleading representation that there was an absence of data breaches in a merger agreement filed as an exhibit to an Exchange Act report. The SEC also noted the deficiency in Altaba’s disclosure controls and procedures, indicating that the procedures were insufficient to ensure that cyber events identified by the information technology officials were appropriately evaluated for potential disclosures.

What Companies Should Do

Public companies should consider taking the following steps in addressing cybersecurity disclosures in light of the SEC’s release and the Altaba enforcement action:

  • Update risk factors to account for prior cybersecurity incidents;
  • Integrate cybersecurity disclosure into registration statements and periodic filings (e.g. MD&A, descriptions of the company’s business and legal proceedings, etc.);
  • Disclose material breaches and other incidents on Form 8-K;
  • Consider whether material cybersecurity incidents represent loss contingencies which should be disclosed as such;
  • Update insider trading policies to address knowledge about cybersecurity incidents; and
  • Make cybersecurity risk a subject of board oversight

Written by:

Snell & Wilmer
Snell & Wilmer
Contact
more
less

Snell & Wilmer on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide