On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.
Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge.
In a number of respects, this new guidance does mirror, or simply amplifies, the prior staff guidance. That is to be expected, though, because there was much in the prior guidance that remains accurate and useful in analyzing securities-related issues arising from cybersecurity risks and incidents. In other respects, the new guidance addresses issues that have come into sharper focus since 2011.
The Newest of the ‘New Guidance’
As a threshold matter, the Commission’s guidance is important because it was issued by “the Commission,” as it is now comprised. Much has changed since 2011, and the guidance now describes cyber risks as “grave threats to investors, our capital markets, and our country.” Analogizing the “importance of data management and technology” today to “the importance of electricity and other forms of power” in the 20th Century, the Commission describes the evolving cyber threat landscape in language similar to that used by other components of the federal government and the private sector. The Commission also adds to the list of “substantial costs” and “negative consequences” associated with cyber incidents: “legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;” “increased insurance premiums;” and “damage to a company’s competitiveness, stock price, and long-term shareholder value.”
The Commission emphasizes the “critical” importance of “maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.” By implementing effective disclosure controls and procedures, companies will be expected to quickly analyze the impact and potential materiality of cyber risks and incidents, and thereby make “timely” disclosures.
Mirroring some of the comments from the OCIE’s August 2017 “Observations from Cybersecurity Examinations” of broker-dealers, investment advisors and investment companies, the Commission stresses that it is not enough for companies to create written cybersecurity policies and procedures. They must regularly assess their compliance with these policies and procedures. This should include ensuring that “relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures [that protect against insider trading].” The Commission explicitly states that Sarbanes-Oxley certifications as to the design and effectiveness of disclosure controls and procedures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
Another new area of guidance concerns insider trading relating to material nonpublic information about cybersecurity incidents experienced by the company. This issue has arisen recently with insider activity prior to companies’ public disclosures of large data breaches. This is a dicey area. Directors, officers and other senior corporate insiders are expected to know about cyber risks and incidents at their companies. If they trade during a window in which information about significant cyber incidents is nonpublic, they run the risk of being accused of either insider trading or managerial incompetence as to cybersecurity – or both. The Commission therefore recommends that companies implement policies and procedures, and review their codes of ethics, to ensure that “directors, officers and other corporate insiders” do not trade on such information between the discovery of a cyber incident and its public disclosure. To avoid even the appearance of improper trading, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading” during the investigation and assessment of significant cybersecurity incidents.
Other Important Insights on Disclosure of Cybersecurity Risks and Incidents
The Commission’s Guidance also provides insight into periodic reporting on cybersecurity risks and incidents. In particular, the Commission “encourages companies to continue to use Form 8-K or Form 6-K to disclose material [cybersecurity] information promptly.” Whether a cyber incident is material will depend on a host of factors, including the nature, extent, and potential magnitude of the incident. This includes consideration of the type of compromised information (personally identifiable information, intellectual property or other confidential business information); the incident’s impact on operations; the harm to a company’s reputation, financial performance, customer/vendor relationships; and potential liabilities in civil litigation or regulatory enforcement actions.
The Commission acknowledges the competing interests at stake in requiring early disclosure of cyber incidents that are still under investigation, and that the materiality analysis of a cyber incident may evolve as the investigation into the incident unfolds. Nonetheless, the Commission states that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” The Commission also emphasizes that prior disclosures must be corrected as additional, material information becomes available through a cyber incident investigation.
The Guidance also includes a section on “Board Risk Oversight.” In describing how the board administers its risk oversight function, a company should explain the “nature of the board’s role in overseeing the management of [cybersecurity] risk,” to the extent such risk is material. Investors should be able to assess the company’s cyber risk management program and “how the board engages with management on cybersecurity issues.”
Going forward, it seems clear that the Commission is likely to pay greater attention to board involvement in cybersecurity risk and incident oversight generally. As with other regulators, we also expect greater scrutiny of the investigations that follow the discovery of incidents, and the timeliness and accuracy of disclosures relating to such incidents.