On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) released its latest Interpretive Guidance on Public Company Cybersecurity Disclosures. Although cybersecurity has been a focus of the SEC for many years, the release is the first formal guidance issued by the agency. Previously, the SEC's Division of Corporation Finance issued informal staff guidance in 2011, which we discussed in a past WSGR Alert.
The SEC's new guidance largely adopts the 2011 informal guidance, which focused on companies' obligations to disclose material cybersecurity risks and costs, including in annual reports. The new guidance re-emphasizes the necessity of making material disclosures in 10-Ks and other appropriate forms, including in statements regarding companies' business and operations, risk factors, legal proceedings, management's discussion and analysis of financial condition and results of operations, financial statements, disclosure controls and procedures, and corporate governance.
The new guidance also highlights two specific issues raised by cybersecurity incidents: (1) whether companies have sufficient disclosure controls regarding cybersecurity risks and attacks; and (2) ensuring that directors and officers do not engage in trading between the time that cybersecurity incidents are discovered and before they are publicly disclosed to investors.
With regard to disclosure controls, the SEC's guidance states that "companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications . . . ." In practical terms, this means that companies' cybersecurity incident response plans (IRPs) should ensure that both significant incidents as well as more routine incidents are routinely reported to management for consideration of their materiality and disclosure obligations.
Regarding trading windows, the SEC guidance notes that "while companies are investigating and assessing significant cybersecurity incidents . . . they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities." The guidance goes on to note that many companies already have policies and procedures in place to prevent corporate insiders from trading on the basis of material nonpublic information and strongly suggests that companies should extend these procedures to cybersecurity incidents. It is widely speculated that this guidance is a direct response to concerns about real or perceived insider trading related to companies with reported breaches and/or significant security vulnerabilities affecting its products.
Although the guidance was unanimously adopted, it was criticized by the two Democratic commissioners, Kara Stein and Robert Jackson Jr., for not going far enough. Commissioner Stein also suggested several agenda items for the SEC to consider regarding cybersecurity, including proposing rules to improve boards' risks management frameworks related to cyber risks and threats, requiring companies to provide notice to investors in an appropriate time frame following a cyber attack, and requiring companies to develop and implement cybersecurity-related policies and procedures beyond disclosure requirements.
Regardless, in light of this formal guidance, directors and officers should consider the following questions:
-
Does your company sufficiently disclose cybersecurity risks and costs in annual and quarterly disclosures? How are these evaluated, and how often are they reviewed?
-
Does your company's cybersecurity incident response plan (IRP) sufficiently account for disclosure obligations, including ensuring that company management and the board of directors are sufficiently aware of cyber risks and attacks and that they are adequately reported in public filings?
-
Does your company's IRP account for the potential need to close trading windows? Who should make this assessment, and what factors should be weighed when considering closing trading windows?
-
Does your company's IRP sufficient address disclosure obligations, including the possibility of issuing an 8-K or similar public disclosure, regarding incidents?
