The Securities and Exchange Commission (“SEC”) recently issued a statement and guidance to assist public companies in adequately disclosing cybersecurity risks and incidents. The new interpretive guidance, which became effective February 26, 2018, substantially expands on the SEC’s 2011 guidance on cybersecurity-related disclosures.
Recognizing the increasing frequency of cybersecurity incidents, the SEC’s new guidance finds that “it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.” Thus, the new guidance emphasizes that companies must assess the materiality of any cybersecurity incidents that may occur, as well as any existing cyber related risks when it prepares and files disclosures pursuant to securities laws.
The SEC further advises that the materiality of cybersecurity risks or incidents depends on their “nature, extent, and potential magnitude,” in addition to the range of harm that an incident could cause to a company’s operations and reputation. Companies must put adequate disclosure controls in place to ensure accurate and timely disclosure of any material events or risks relating to cybersecurity, taking into consideration, among other factors: (i) prior cybersecurity incidents, (ii) company-specific data or operations that create unique risks, (iii) the probability and potential magnitude of an incident, and (iv) costs relating to cybersecurity risks and protections, including applicable cyber insurance.
While material cybersecurity risks and incidents must be disclosed, the SEC reaffirmed its statement from its 2011 cybersecurity guidance that companies are not required to—and should not—provide a “roadmap” for cyber criminals to use to exploit a company’s cyber defenses. Accordingly, disclosure of specific, technical descriptions of system vulnerabilities is not required.
The SEC’s new guidance also stresses the importance of establishing appropriate internal controls to ensure that corporate insiders do not trade company stock on the basis of material nonpublic information relating to a company’s cybersecurity risks. In particular, when a company is in the process of investigating a potential cybersecurity incident, the SEC advises that companies should place restrictions on insider trading to avoid any potential improper trading between the time the incident is identified and when details of the incident can be properly disclosed to the public.