The Securities and Exchange Commission is making a serious effort to ensure public companies do a good job of handling and disclosing cybersecurity events.
In February 2018, the SEC issued new interpretive guidance for public companies concerning controlling and disclosing cybersecurity risks and events. This new guidance affirms and expands on previously released guidance from October 2011.
Since then, we’ve seen terrible examples of how public companies handled data breaches (think: Equifax and Yahoo), and it’s clear that the SEC wants companies to do better. With its most recent release the SEC is taking pains to be more explicit about its expectations than the 2011 guidance.
The February 2018 release is official SEC guidance that was approved unanimously by all of the Commissioners. As such, “the guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents.”
Digging Into the Guidance: Key Directives
The new interpretive guidance focuses on insider trading and required disclosures. It also includes timely reminders about the importance of cybersecurity policies and procedures as well as a company’s obligations under Regulation FD. Finally, the SEC emphasized the board’s role when it comes to cybersecurity and enterprise risk oversight.
Among the issues that have arisen in the epic Equifax case are allegations of insider trading in advance of Equifax’s public disclosure of its massive breach. At least two people have been charged to date.
The SEC used the 2018 release as an opportunity to remind companies and their insiders—including directors and officers—of the prohibitions on trading while in possession of material nonpublic information, including undisclosed cyber breaches.
The SEC’s guidance reiterates that companies should consider the materiality or significance of the company’s potential cybersecurity risks (“… we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”).
The guidance gives several examples of the obligations to disclose risks and incidents based on specific scenarios. The release also helpfully runs through specific sections of periodic reporting: risk factors, management discussion & analysis, description of the business, and legal proceedings. There are also some useful specifics about financial statement disclosures.
One of the challenges faced by companies when hit with a cyber breach is the need to balance the requirements of many stakeholders at one time, a balance that might cause a company to conclude that the delay of disclosure is appropriate.
For example, in some cases a company may be cooperating with federal and state authorities while also conducting its own investigation. The SEC articulates its view on this type of delay, and acknowledges that some companies may need to cooperate with law enforcement in the course of a cybersecurity incident. Of course, as the SEC notes, such cooperation “may affect the scope of disclosure regarding the incident.”
However, the SEC goes on to say that “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Policies and Procedures/ Disclosure Controls
In its discussion of cybersecurity policies and procedures, the SEC reminds companies of the need to take a comprehensive, holistic approach to this “key area of enterprise risk management.”
The SEC further notes that:
Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
Finally, the SEC reminds companies that in addition to having disclosure controls and procedures, management is obligated to evaluate their effectiveness.
The SEC Amplifies Focus on Cybersecurity
In March, the newly appointed SEC commissioner, Robert Jackson Jr., gave a speech at the Tulane Corporate Law Institute. In his speech, Commission Jackson called cyber threats “the most pressing issue in corporate governance today.”
While Commissioner Jackson points out that the views he expresses are his own and do not reflect the SEC, the fact that he’s making cybersecurity a focus of his speaking engagements—coupled with the fact that SEC Chair Jay Clayton addressed cybersecurity with a congressional panel in June—it’s clear that the SEC is committed to this issue.
Another sign of the SEC’s increasing seriousness is their April 2018 $35 million settlement with Yahoo, the first penalty associated with a cyber disclosure investigation.
So, while we all may be growing a little weary of the topic of cybersecurity, this is one issue that’s not going away—including at the board level.
The Board and Cybersecurity
The SEC’s interpretive guidance specifically makes a note of the board’s role in cybersecurity oversight: “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk.”
The SEC goes on to use the 2018 release to encourage disclosure of “how the board of directors engages with management on cybersecurity issues.” This disclosure is to be provided so that shareholders can assess the board’s performance when it comes to the execution of its risk oversight duties.
In light of the SEC’s clear focus on this issue, boards of directors will want to ensure that cyber risk and its mitigation continue to be a regular topic of serious board discussion.
Management will want to review the SEC’s interpretive guidance with counsel and, as needed, refine the company’s cyber disclosures—including thinking about being able to make good disclosures in a timely way if a cyber breach occurs.