SEC Issues New Guidance on Cybersecurity Disclosure Requirements

• Policies to Prevent Insider Trading Based on Nonpublic Cyber Information. The Guidance stresses the need for companies to consider implementing policies to prevent insider trading on the basis of any material nonpublic cybersecurity-related information. As a result, insider trading policies, codes of ethics and codes of conduct may need to be amended to expressly address information relating to cybersecurity risks and incidents. In addition, controls and procedures with respect to opening and closing trading windows may also need to be revised.
  
  
• Improving Cyber Disclosures. In general, the Guidance and the accompanying public statements make clear that the SEC and its Staff believe that current company disclosures about cybersecurity risks and incidents can be and must be improved. 

The Guidance is the latest in a series of steps taken by the SEC and its Staff to make clear its increasing focus on cybersecurity matters; it both reinforces and expands upon the 2011 guidance issued by the Division of Corporation Finance regarding disclosure obligations relating to cybersecurity risks and incidents. Undeniably, the Guidance is intended to signal that the SEC and its Staff are raising the bar with respect to their expectations about the quality and usefulness of cybersecurity disclosure, and the compliance and governance framework with respect to how cybersecurity risks and incidents are handled. While a grace period can be expected with respect to the transition to the enhanced normative standards outlined in the Guidance—including comment letters on periodic filings by the Division of Corporation Finance—at some point, those expectations will begin to get enforced by the Division of Enforcement.

To be sure, the two Democrat Commissioners, in their separate public statements, qualified their support for the guidance, indicating that it “essentially reiterates years-old staff-level views on this issue”² and is simply “rebranded guidance.”³ In Commissioner Jackson’s view, “much more needs to be done.” Commissioner Stein agreed: “There is so much more we can and should do.”

Regardless of the debate among the Commissioners, it is important for companies to consider the spirit and the letter of the Guidance when evaluating their approach to cybersecurity reporting and cybersecurity risk.

Set forth below in more detail is an overview of the Guidance.

OVERVIEW OF RULES REQUIRING DISCLOSURE OF CYBERSECURITY ISSUES

1. Disclosure Obligations Generally; Materiality
   Like the 2011 guidance, the Guidance emphasizes that companies “should consider” the materiality of cybersecurity risks and incidents when preparing required disclosures. 83 FR 8166, 8168 (Feb. 26, 2018). The SEC acknowledged that Regulation S-K does not specifically refer to cybersecurity but has interpreted it to include material cyber risks and incidents. In particular, the SEC states that cybersecurity-related disclosures should be considered in companies’ periodic reports, registration statements and current reports.
   
   Further, the Guidance reinforces that the assessment of disclosure obligations is dependent upon a company’s particular circumstances, with thought given to the potential materiality of the identified risk, the importance of compromised information (if any), and/or the impact of an incident on a company’s operations, as applicable. Id. Materiality, in turn, is dependent upon, among other things, the nature, extent, and potential magnitude of a risk or incident (particularly in relation to compromised information, the business, or the scope of a company’s operations), as well as the range of harm (including, for instance, as related to a company’s reputation, financial performance, customer/vendor relationships, and/or the possibility of litigation or regulatory investigations or actions). Id. at 8168–69.
   
   
2. Risk Factors
   Regulation S-K’s Item 503(c) and Form 20-F’s Item 3.D require companies to disclose the most significant factors that make securities investments speculative or risky. Id. at 8169–70. The Guidance suggests that companies consider the following factors when evaluating cybersecurity risks for disclosure:
   
   • occurrence, frequency, and severity of prior cybersecurity incidents;
   • probability and potential magnitude of cybersecurity incidents;
   • adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs; 
   • aspects of the company’s business and operations that give rise to material cybersecurity risks (including industry-specific risks and third-party supplier/service provider risks);
   • costs associated with maintaining cybersecurity protections (such as cyber insurance coverage or service provider payments); 
   • potential for reputational harm;
   • existing or pending laws and regulations that may affect the cyber requirements and the associated costs to companies; and
     litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
     
     The SEC suggests that companies may need to discuss past incidents to provide sufficient context and understanding of cyber risk. For example, the SEC suggests, if a company previously experienced a material denial-of-service attack, it likely would not be sufficient for the company to simply disclose a risk of a denial-of-service incident without mentioning the prior incident and its consequences.

    

3. Content and Timing of Disclosures
   The SEC provides particular guidance on the content and timing of cyber disclosures. Regarding content, the SEC states that “companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” Id. at 8169. Companies should disclose “cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” Id. This includes a “duty to correct” a prior disclosure determined to be untrue or misleading at the time it was made, and a “duty to update” a prior disclosure that becomes materially inaccurate after it is made. Id. At the same time, consistent with its 2011 guidance, the SEC cautioned that companies need not and should not provide “detailed disclosures that could compromise cybersecurity efforts” — for instance, by providing a “roadmap” to hackers. Id.
   
   On timing, although the SEC recognizes the need for internal investigation and cooperation with law enforcement, the SEC makes clear that such “ongoing internal and external investigation — which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” Id. Thus, such disclosures should be timely and companies should provide them with expediency, though the SEC understands that it may take some time to discern the implications of a cybersecurity incident and that some material facts may not be available at the time of the initial disclosure.
   
   
4. MD&A of Financial Condition and Results of Operations
   Regulation S-K’s Item 303 and Form 20-F’s Item 5 require companies to discuss their financial condition, changes in financial condition, and results of operations. Id. at 8170. The SEC recommends that companies consider:
   • costs of ongoing cybersecurity efforts (including enhancements to existing efforts);
   • costs and other consequences of cybersecurity incidents or of cybersecurity issues more generally, including, for instance, immediate costs of an incident, loss of intellectual property or competitive advantage, reputational harm, implementation of preventative measures, maintenance of insurance, litigation and regulatory response, remediation efforts, compliance with legislation, etc.; and
   • risks of potential cybersecurity incidents.
     
     
5. Description of Business
   According to the Guidance, in connection with Item 101 of Regulation S-K and Item 4.B of Form 20-F, a company “must provide appropriate disclosure” if cybersecurity incidents or risks materially affect its products, services, competitive conditions, or relationships with suppliers or customers. Id.
   
   
6. Financial Statement Disclosures
   The Guidance notes that cybersecurity incidents and risks may affect a company’s financial statements. Id. For example, cybersecurity incidents may result in expenses related to investigation and breach remediation, loss of revenue, insurance premium increases, or diminished future cash flow. As a result, the SEC “expects” companies to design their financial reporting and control systems to provide reasonable assurance that information regarding the range and magnitude of such impacts would be incorporated into its financial statements in a timely manner.
   
   
7. Legal Proceedings
   Regulation S-K’s Item 103 requires companies to disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. Id. The SEC underscores that this requirement includes any such proceedings that raise cybersecurity issues. For example, if a company experiences a cybersecurity incident involving the theft of customer information and the incident results in material litigation by customers against the company, the company should disclose such litigation.
   
   
8. Board Risk Oversight
   Regulation S-K’s Item 407(h) and Schedule 14A’s Item 7 require a company to disclose the extent of its board of directors’ risk oversight role, such as how the board administers its oversight function and the board’s leadership structure. Id. To the extent cybersecurity risks are material, the company should disclose the board’s oversight of cybersecurity risks. The SEC notes that disclosures regarding the company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues permit investors to assess how the board is discharging its risk oversight responsibility.

POLICIES AND PROCEDURES

The Guidance also expands on two concepts: disclosure processes and protections against insider trading.

1. Disclosure Controls and Procedures
   Exchange Act Rules 13a-15 and 15d-15 require companies to maintain disclosure controls and procedures and evaluate their effectiveness. Id. at 8171. The Guidance advises companies to assess whether their disclosure controls and procedures are effective to process and report information regarding cybersecurity risks and incidents, including up the corporate ladder, as appropriate “to enable senior management to make disclosure decisions and certifications” and facilitate insider trading prohibitions. Id. In particular, the Guidance indicates that companies should assess whether their controls and procedures enable them to:
   
   • record, process, summarize, and report information related to cybersecurity risks and incidents required to be disclosed in filings;
   • identify cybersecurity risks and incidents;
   • assess and analyze the impact of cybersecurity risks and incidents on a company’s business;
   • evaluate the significance associated with such risks and incidents;
   • provide for open communications between technical experts and disclosure advisors; and
   • ensure timely disclosures regarding such risks and incidents.
     
     
2. Insider Trading
   The Guidance reminds companies that their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with material nonpublic information about cybersecurity risks and incidents, including as related to vulnerabilities and breaches. Id. at 8171–72.
   
   The Guidance encourages “companies to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.” Id. Companies should have policies and procedures in place to prevent trading on the basis of all types of material nonpublic information, including as appropriate information relating to cybersecurity risks and incidents.
   
   
3. Regulation FD and Selective Disclosure
   Companies should also be sensitive to cybersecurity in the context of evaluating disclosure obligations under Regulation FD and protecting against selective disclosure of material information. Id. at 8172. The Guidance provides that companies should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to Regulation FD enumerated persons before disclosing the same information to the public and outlines an expectation that company policies and procedures would contemplate this risk.

¹ SEC Chair Jay Clayton, “Statement on Cybersecurity Interpretive Guidance” (Feb. 21, 2018), available at https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21.

² Commissioner Robert J. Jackson, Jr., “Statement on Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (Feb. 21, 2018), available at https://www.sec.gov/news/public-statement/statement-jackson-2018-02-21.

³ Commissioner Kara M. Stein, “Statement on Commission Statement and Guidance on Public Company Disclosures” (Feb. 21, 2018), available at https://www.sec.gov/news/public-statement/statement-stein-2018-02-21.