Given the increasing significance of cybersecurity incidents, the SEC recently published additional guidance in the Federal Register to assist public companies in preparing cybersecurity risk and incident disclosures, policies, and procedures. The guidance builds on prior guidance issued by the SEC’s Division of Corporate Finance in 2011.
The guidance emphasizes that public companies must disclose material cybersecurity risks and incidents, as well as related costs and consequences, in registration statements and reports required under the Securities Act of 1933 and the Securities Exchange Act of 1934. The SEC provides that companies generally evaluate materiality in this context by weighing, among other things: (i) the nature, extent, and potential magnitude of the risks or incidents; and (ii) the potential resulting reputational, financial, and legal consequences, including harm to customer and vendor relationships. While these disclosures are not intended to be so detailed as to compromise a company’s cybersecurity efforts, the SEC indicates that its expectations include that the company would make appropriate material disclosure in a timely and sufficient manner before the offer and sale of securities and that it would act to prevent directors, officers, and corporate insiders from trading the securities until proper notification has been made to investors about the incident or risk.
To determine the proper cybersecurity risk factor disclosures to make upon a material event’s occurrence, the SEC suggests that companies consider factors such as: (i) the severity and frequency of prior incidents; (ii) the probability and potential magnitude of incidents; (iii) the adequacy of preventative actions taken to reduce such risks and associated costs, including any limits of the company’s ability to prevent or mitigate certain risks; (iv) the aspects of the company’s business and operations giving rise to material risks and the potential costs and consequences of such risks, including industry-specific and third party supplier and service provider risks; (v) cybersecurity protection maintenance costs, including insurance coverage relating to such incidents or payments to service providers; (vi) the potential for reputational harm; (vii) existing or pending laws and regulations that may affect the cybersecurity requirements to which the company is subject and associated costs; and (viii) associated litigation, regulatory investigation, and remediation costs. Such disclosures may need to be more broadly addressed in context, accounting for previous or ongoing incidents or events.
Furthermore, the guidance provides considerations related to additional required disclosures in this context, such as those regarding financial condition, changes to financial condition, results of operations, business descriptions, material pending legal proceedings, financial statements, and the extent of a company’s board of directors’ role in company risk oversight.
The guidance also recommends that companies: (i) adopt comprehensive cybersecurity policies and procedures; (ii) assess their compliance regularly, including the sufficiency of their disclosure controls and procedures; and (iii) assess whether sufficient disclosure controls and procedures are in place to ensure that relevant risk and incident information is appropriately processed and reported (e.g., up the corporate ladder) in order to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures prohibiting directors, officers, and other insiders from trading based on material nonpublic information about such risks and incidents. Proper disclosure controls and procedures must also be in place to allow a company to, among other things: (i) identify cybersecurity risks and incidents; (ii) assess and analyze their impact on its business; (iii) evaluate the significance associated with such risks and incidents; (iv) provide for open communications between technical experts and disclosure advisors; and (v) make timely disclosures regarding such risks and incidents.
Companies are also encouraged to: (i) develop insider trading policies that take into account and prevent trading based on material nonpublic information, including such information related to cybersecurity risks and incidents; and (ii) ensure that such information is not disclosed to Regulation FD enumerated persons until it has been publicly disclosed.
The guidance, as published in the Federal Register, can be viewed here: https://www.gpo.gov/fdsys/pkg/FR-2018-02-26/pdf/2018-03858.pdf.