On Feb. 20, 2018, the SEC voted unanimously to issue interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission guidance builds on and expands on the staff guidance issued in 2011. The guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
At the Practising Law Institute’s recent SEC Speaks conference, William H. Hinman, director of the SEC’s Division of Corporation Finance, noted that the 2011 guidance, which was principles-based, had worked well since its issuance. The new Commission statement refreshed some of the language, but retained much of the original staff advice, according to the director.
There are some key differences between the new statement and the 2011 guidance, however, noted Director Hinman. The first is that the new statement is Commission guidance, while the staff issued the original interpretation. The second is that the new guidance deals with two points not fully developed in the earlier staff advice. These include emphasizing the importance of:
The guidance begins with a discussion of materiality, one of the bedrock principles of the SEC’s disclosure regime. The Commission reminded companies of their obligation to consider the materiality of cybersecurity risks and incidents when preparing registration statements and periodic and current reports.
The SEC noted that in determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh:
The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. According to the Commission, registrants need not “draw a map,” or make detailed disclosures that could compromise its cybersecurity efforts. For example, issuers need not publicly disclose specific, technical information about their cybersecurity systems or potential system vulnerabilities that would make them more susceptible to a cybersecurity incident.
The SEC also advised that companies should provide disclosure that is tailored to their particular cybersecurity risks and incidents. Issuers should avoid generic cybersecurity-related disclosure and provide specific information that is useful to their investors.
Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the company’s securities speculative or risky. In drafting these risk factors with regard to cybersecurity, the SEC urged issuers to consider:
The Commission noted that in meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.
The key takeaway with regard to the risk factor discussion is to make them meaningful, relevant and current. Issuers should not cut and paste last year’s list into this year’s filing, or copy the factors filed by a peer company.
The SEC advised that companies should consider covering the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents in their MD&A. Cyber risks may also need to be disclosed in several other areas of the financial statements and SEC filings, such as:
The SEC encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to regularly assess their sufficiency and compliance as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel.
Companies should not limit their disclosure controls and procedures to disclosures that are specifically required by the rules. Rather, issuers should focus on ensuring timely collection and evaluation of information that is potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses. These controls are subject to the certification requirements for the principal executive officer and principal financial officer of the company. These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.
Coming on the heels of high-profile breaches such as Equifax, the Commission issued a strong reminder to companies that “directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” The guidance stated that information about a company’s cybersecurity risks and incidents could be material nonpublic information, and directors, officers and other corporate insiders would be in violation of the antifraud provisions if they traded in the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.
Enforcement Director Hinman observed at the SEC Speaks conference that it would “not be a bad idea” for companies to adopt a prophylactic proscription on trading while companies are investigating and assessing significant cybersecurity incidents. Such a provision would prohibit trades by insiders before the breach is publicly disclosed.
The SEC advised companies in the guidance of their obligation to comply with Regulation FD. Companies and persons acting on their behalf must not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to persons specified in Regulation FD (generally, broker-dealers, investment advisers, investment companies or holders of the issuer’s securities under circumstances in which it is reasonably foreseeable that the person will trade in the issuer’s securities on the basis of the information) before disclosing that same information to the public.
The SEC stated that it expects companies to have policies and procedures in place to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD-required public disclosure is made simultaneously (in the case of an intentional disclosure as defined in the rule) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with the requirements of that regulation.
The SEC’s cybersecurity guidance is not rulemaking, and it contains no surprising developments. It does not break new ground, and is largely a series of reminders and suggestions about what companies should have been doing all along. It is significant that the advice comes from top, and has the imprimatur of the Commission itself. It is a valuable exercise, but I am sure that many readers of the release will come to the end wondering what all the excitement was about.
I am not alone in that feeling, as two SEC commissioners expressed their disappointment with the agency’s action. Commissioner Robert J. Jackson Jr. stated that he “reluctantly” supported issuing the release as a first step toward combatting cyber abuses. He noted that “the guidance essentially reiterates years-old staff-level views on this issue” and that “economists of all stripes agree that much more needs to be done.”
Commissioner Kara Stein expressed even a stronger sense of disappointment with what she saw as a missed opportunity. She concedes that the guidance provides “valuable reminders,” but sees the release to be in large part a rehash of the 2011 staff document. She asked, “should we be, in effect, re-issuing staff guidance solely to lend it a Commission imprimatur?”
Commissioner Stein suggested several steps the Commission could have taken beyond reminding registrants of their obligations under current law. She said the SEC could have:
She recognized that the lack of notice and comment rulemaking constrained what actions the Commission could take, but called on her fellow commissioners to avoid this problem by putting forth rule changes for public comment. She suggested rules calling for:
She concluded that:
While it may have the potential of providing both companies and investors with incremental benefit, the guidance does not sufficiently advance the ball—even in the context of disclosure guidance. Even more, it may provide investors a false sense of comfort that we, at the Commission, have done something more than we have. Ultimately, the step the Commission took with respect to cybersecurity risks and incidents should only be its first. There is so much more we can and should do. I hope we will proceed accordingly for the good of investors, public companies, and our capital markets.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)