The U.S. Securities and Exchange Commission has issued guidance on cybersecurity disclosure.

Takeaways

• Companies must establish and maintain appropriate disclosure controls and procedures to make accurate and timely disclosures of material cybersecurity-related events.
• Companies must protect against misuse and selective disclosure of material nonpublic information regarding cybersecurity by corporate insiders.

Although none of the disclosure requirements stemming from the Securities Act or the Exchange Act explicitly refer to cybersecurity, the potentially material nature of cybersecurity threats faced by public companies may require several types of disclosures. The SEC states that the materiality of a cybersecurity risk or incident depends upon the “nature, extent, and potential magnitude” of such risk and the “range of harm that such incidents could cause,” including harm to “reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions.” Because cyberattacks take many forms, companies should consider the following aspects of cybersecurity risk:

• Remediation
• Security and protection
• Lost revenue
• Litigation and regulatory risk
• Customer or business partner retention
• Insurance
• Reputational harm
• Relative competitiveness

Companies should tailor their disclosure, avoiding boilerplate or generic language. To adequately describe risks, companies may need to discuss prior occurrences of cybersecurity incidents and not merely state that such incidents could occur. However, the SEC’s guidance does not require companies to provide specific or technical information that could make their systems more vulnerable to attack. In addition, while the SEC recognizes that, due to the nature of cybersecurity breaches, a company “may require time to discern the implications of a cybersecurity incident,” ongoing investigations into incidents cannot be used as a reason to avoid or delay disclosure. Such disclosure may need to be updated as an investigation into a cybersecurity incident progresses in order to ensure that the disclosure has not become materially inaccurate or stale.

Companies are expected to make disclosures that are “accurate and timely” and “sufficiently prior to the offer and sale of securities.” Companies accordingly need to be particularly mindful when undertaking an offering of securities that any cybersecurity incidents have been adequately disclosed to the extent that such information would be material to investors. In light of the SEC’s guidance, companies accessing the public capital markets should be prepared for increased diligence from underwriters regarding cybersecurity risks they face and their preparedness, including requests for comprehensive representations in underwriting agreements.

The SEC reinforced the SEC staff’s guidance from 2011 by emphasizing where existing disclosure requirements may require a company to disclose information relating to cybersecurity risks and incidents in its periodic reports:

The new release expands upon the SEC’s prior guidance from 2011 in two notable areas. First, it stresses the importance of robust disclosure controls and procedures regarding cybersecurity. Second, it repeatedly emphasizes that the use of material nonpublic information regarding cyber threats and incidents can violate insider trading rules.  Companies should assume that both of these topics will be given increased scrutiny by the Division of Enforcement.

Disclosure Controls and Procedures

Companies are required, under Exchange Act Rules 13a-15 and 15d-15, to maintain disclosure controls and procedures that not only capture and record information required to be disclosed, but also communicate such information to management in a timely manner. In the context of cybersecurity, companies should be able to “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” This may mean developing new processes and controls for surfacing and assessing cybersecurity incidents in real-time so that they can be evaluated and moved up the corporate reporting chain in a timely fashion. These processes should incorporate identifying cybersecurity risks and incidents and assessing their impact, disclosing such events in an appropriate and timely way, and correcting or updating prior statements, if needed.

Insider Trading

The new guidance also highlights the SEC’s attention on cybersecurity as it relates to insider trading. The SEC explicitly notes that “information about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.” The guidance encourages companies to review their codes of ethics to explicitly take into account prohibitions on trading when insiders may be aware of undisclosed cybersecurity events or their expected consequences. Similarly, the guidance encourages companies to consider preventative measures to address the appearance of improper trading in the context of a cyber event.

Board Risk Oversight

The guidance notes that SEC regulations “require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure.” In particular, the guidance states that the SEC believes “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”