On Feb. 21, the Securities and Exchange Commission (SEC) released interpretive guidance on public companies’ disclosure practices regarding cybersecurity breaches and risks to the public.
The guidance reinforces and expands upon the SEC Division of Corporation Finance’s October 2011 guidance, which stated that although no disclosure requirement explicitly referring to cybersecurity risks and cyber incidents existed at that time, companies nonetheless may be obligated to disclose such risks and incidents. The SEC’s latest guidance addresses in greater detail two additional topics: the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
Generally, the guidance states that – given the “frequency, magnitude and cost of cybersecurity incidents” – companies should inform investors about material cybersecurity risks, even if the company has not yet been the victim or target of a cyberattack. It states that firms should have policies and procedures in place to publicly disclose breaches in a timely fashion and to prevent corporate insiders from exploiting their knowledge of a cybersecurity incident by trading on material non-public information before the breach is publicly disclosed. It also recommends that the most effective cybersecurity disclosure controls and procedures result when a company’s directors, officers and others are informed about the risks and incidents that the company has faced or is likely to face.
The first section of the guidance outlines the existing rules requiring disclosure of cybersecurity-related issues and provides guidance on the timing, nature and amount of disclosure expected. It reminds issuers that they are required to establish “appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity” to assist in meeting their disclosure obligations under federal securities laws. It recommends firms consider the materiality of cybersecurity risks and incidents to investors when preparing disclosure in registration statements, current reports and periodic reports, while also considering the adequacy of their cybersecurity-related disclosure to avoid omitting any information that could result in a misleading disclosure.
Despite the need for adequate disclosure, the guidance clarified that a company need not make disclosures so detailed that they could compromise cybersecurity efforts and that the SEC does “not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail” that it would make them more susceptible to a cybersecurity incident.
In relation to the disclosure of a company’s risk factors, the guidance provides several factors to be considered in evaluating the level of risk, such as the occurrence of prior cybersecurity incidents, the probability and potential magnitude of cybersecurity incidents, the adequacy of preventive actions taken to reduce cybersecurity risks, and the associated cost, as well as the risk of reputational harm, litigation or regulatory investigation as a result of a cybersecurity incident. In addition, the SEC expects a company’s financial statements will include information regarding the range and magnitude of the financial impact of a cybersecurity event “on a timely basis as the information becomes available.”
Policies and Procedures
The guidance then expands on existing SEC statements to emphasize the importance of creating and maintaining comprehensive risk management policies and procedures specifically related to cybersecurity risks and incidents. It encourages firms to assess disclosure controls and procedures to ensure that relevant cybersecurity information “is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications.” It also calls for the creation of policies and procedures that prohibit directors, officers and others from making trades based on non-public material information.
Further, the guidance states that disclosure controls and procedures should “ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.” The guidance encourages companies, when designing and evaluating disclosure controls and procedures, to consider whether they will appropriately record, process, summarize and report the cybersecurity-related information they are required to disclose in filings. Disclosure controls and procedures should also enable companies to “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”
Significantly, the guidelines include an emphasis on considerations related to insider trading. In the interests of safeguarding against officials trading on non-public information before a cyber incident is disclosed, the guidance suggests companies consider adding the specific context of a cyber event to any preventive measures they may have already adopted to address the appearance of improper trading. This inclusion comes after several high-profile hacking incidents – including at the SEC itself – implicating trading on non-public information. The guidance underscores that non-public information, regarding a company’s cybersecurity risks or breaches may constitute material, non-public information and corporate insiders would violate anti-fraud provisions should they use any such knowledge to trade the company’s securities.
As a result, the SEC encourages companies to review their codes of ethics and insider trading policies through a cybersecurity lens in order to prevent such activity. In addition, it suggests that firms investigating cyber incidents should consider “whether and when it may be appropriate to implement restrictions on insider trading in their securities.” The guidance states that such a measure could protect against corporate insiders engaging in such activities and help affected companies “avoid the appearance of improper trading” in the wake of a cybersecurity breach. The guidance also emphasizes that in disclosing cybersecurity events, issuers need to be mindful of the prohibitions against selective disclosure embodied in Reg FD and ensure that when a disclosure is made to an enumerated Reg FD person (such as a broker, investment adviser or holder likely to trade in company shares), disclosure is simultaneously made to the public.
The guidelines remain “guidance,” rather than any formal rule change. In a statement released with these guidelines, Chairman Jay Clayton noted that the guidelines reflect “the Commission’s views on this matter to promote clearer and more robust disclosure,” so that investors receive more complete information. Clayton reminded companies that investors may find fault with a company’s actions even when the SEC does not. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives,” he said, a reminder that other considerations exist beyond regulatory requirements when it comes to cybersecurity. Clayton also emphasized that the SEC would continue to evaluate and monitor developments concerning cyber disclosure and consider whether additional guidance or rules may be needed.