SEC Issues Guidance on Cybersecurity, Two Commissioners Question Scope of the Action

SEC Seal Blog

On Feb. 20, 2018, the SEC voted unanimously to issue interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission guidance builds on and expands on the staff guidance issued in 2011. The guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents.  It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.

At the Practising Law Institute’s recent SEC Speaks conference, William H. Hinman, director of the SEC’s Division of Corporation Finance, noted that the 2011 guidance, which was principles-based, had worked well since its issuance. The new Commission statement refreshed some of the language, but retained much of the original staff advice, according to the director.

There are some key differences between the new statement and the 2011 guidance, however, noted Director Hinman. The first is that the new statement is Commission guidance, while the staff issued the original interpretation. The second is that the new guidance deals with two points not fully developed in the earlier staff advice. These include emphasizing the importance of:

  • maintaining comprehensive policies and procedures related to cybersecurity risks and incidents that are integrated throughout the disclosure process; and
  • the obligation of directors, officers and other corporate insiders to comply with applicable insider trading prohibitions and to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.

The guidance begins with a discussion of materiality, one of the bedrock principles of the SEC’s disclosure regime. The Commission reminded companies of their obligation to consider the materiality of cybersecurity risks and incidents when preparing registration statements and periodic and current reports.

The SEC noted that in determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh: 

  • the potential materiality of any identified risk;
  • the importance of any compromised information; and
  • the impact of the incident on the company’s operations.

The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. According to the Commission, registrants need not “draw a map,” or make detailed disclosures that could compromise its cybersecurity efforts. For example, issuers need not publicly disclose specific, technical information about their cybersecurity systems or potential system vulnerabilities that would make them more susceptible to a cybersecurity incident.

The SEC also advised that companies should provide disclosure that is tailored to their particular cybersecurity risks and incidents. Issuers should avoid generic cybersecurity-related disclosure and provide specific information that is useful to their investors.

Risk Factors

Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the company’s securities speculative or risky. In drafting these risk factors with regard to cybersecurity, the SEC urged issuers to consider:

  • the occurrence of prior cybersecurity incidents, including their severity and frequency;
  • the probability of the occurrence and potential magnitude of cybersecurity incidents;
  • the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
  • the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • the potential for reputational harm;
  • existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

The Commission noted that in meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.

The key takeaway with regard to the risk factor discussion is to make them meaningful, relevant and current. Issuers should not cut and paste last year’s list into this year’s filing, or copy the factors filed by a peer company.

MD&A and Other Disclosures

The SEC advised that companies should consider covering the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents in their MD&A. Cyber risks may also need to be disclosed in several other areas of the financial statements and SEC filings, such as: 

  • description of the business;
  • legal proceedings; 
  • financial statement disclosures (such as loss of revenue, warranty claims, product recalls, diminished future cash flows, or impairment of intellectual, intangible or other assets); and
  • board risk oversight.

Policies and Procedures

The SEC encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to regularly assess their sufficiency and compliance as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel.

Companies should not limit their disclosure controls and procedures to disclosures that are specifically required by the rules. Rather, issuers should focus on ensuring timely collection and evaluation of information that is potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses. These controls are subject to the certification requirements for the principal executive officer and principal financial officer of the company. These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.

Insider Trading

Coming on the heels of high-profile breaches such as Equifax, the Commission issued a strong reminder to companies that “directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” The guidance stated that information about a company’s cybersecurity risks and incidents could be material nonpublic information, and directors, officers and other corporate insiders would be in violation of the antifraud provisions if they traded in the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.

Enforcement Director Hinman observed at the SEC Speaks conference that it would “not be a bad idea” for companies to adopt a prophylactic proscription on trading while companies are investigating and assessing significant cybersecurity incidents. Such a provision would prohibit trades by insiders before the breach is publicly disclosed.

Regulation FD

The SEC advised companies in the guidance of their obligation to comply with Regulation FD. Companies and persons acting on their behalf must not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to persons specified in Regulation FD (generally, broker-dealers, investment advisers, investment companies or holders of the issuer’s securities under circumstances in which it is reasonably foreseeable that the person will trade in the issuer’s securities on the basis of the information) before disclosing that same information to the public.

The SEC stated that it expects companies to have policies and procedures in place to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD-required public disclosure is made simultaneously (in the case of an intentional disclosure as defined in the rule) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with the requirements of that regulation.

The Big Picture

The SEC’s cybersecurity guidance is not rulemaking, and it contains no surprising developments. It does not break new ground, and is largely a series of reminders and suggestions about what companies should have been doing all along. It is significant that the advice comes from top, and has the imprimatur of the Commission itself. It is a valuable exercise, but I am sure that many readers of the release will come to the end wondering what all the excitement was about.

I am not alone in that feeling, as two SEC commissioners expressed their disappointment with the agency’s action. Commissioner Robert J. Jackson Jr. stated that he “reluctantly” supported issuing the release as a first step toward combatting cyber abuses. He noted that “the guidance essentially reiterates years-old staff-level views on this issue” and that “economists of all stripes agree that much more needs to be done.”

Commissioner Kara Stein expressed even a stronger sense of disappointment with what she saw as a missed opportunity. She concedes that the guidance provides “valuable reminders,” but sees the release to be in large part a rehash of the 2011 staff document. She asked, “should we be, in effect, re-issuing staff guidance solely to lend it a Commission imprimatur?”

Commissioner Stein suggested several steps the Commission could have taken beyond reminding registrants of their obligations under current law. She said the SEC could have:  

  • examined what the staff has learned since the release of its 2011 guidance and provided new guidance that capitalized on these findings;
  • discussed the various advances in technology used in cyberattacks since 2011, and how such advances could affect a company’s disclosure regarding company-specific risks;
  • discussed the value to investors of disclosure relating to: a company’s protocols relating to, or efforts to minimize, cybersecurity risks and its capacity, and any measures taken, to respond to cybersecurity incidents; and
  • discussed the value to investors of disclosure regarding whether any member of a company’s board of directors has experience, education, expertise, or familiarity with cybersecurity matters or risks.

She recognized that the lack of notice and comment rulemaking constrained what actions the Commission could take, but called on her fellow commissioners to avoid this problem by putting forth rule changes for public comment. She suggested rules calling for: 

  • improvements to the board’s risk management framework related to cyber risks and threats;
  • minimum standards to protect the personally identifiable information of investors;
  • timely notice to investors (such as a Form 8-K filing) following a cyberattack providing useful disclosure without harming the company competitively; and
  • the development and implementation by public companies of comprehensive cyber security-related policies and procedures.

She concluded that:

While it may have the potential of providing both companies and investors with incremental benefit, the guidance does not sufficiently advance the ball—even in the context of disclosure guidance. Even more, it may provide investors a false sense of comfort that we, at the Commission, have done something more than we have. Ultimately, the step the Commission took with respect to cybersecurity risks and incidents should only be its first. There is so much more we can and should do. I hope we will proceed accordingly for the good of investors, public companies, and our capital markets.