SEC Issues Guidance on Cybersecurity Disclosures
On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued updated guidance to assist public companies with disclosure obligations under the federal securities laws relating to cybersecurity risks and incidents (“Guidance”). In addition to expanding upon the SEC’s guidance on cybersecurity issued in October 2011 (“2011 Guidance”), which focused on the disclosure of cybersecurity risks and incidents, the Guidance addresses two new issues – the implementation of cybersecurity policies and procedures and the examination of insider trading prohibitions in the wake of cybersecurity incidents.
The Guidance expands on the general view of the SEC’s Division of Corporation Finance as reflected in the 2011 Guidance – that cybersecurity risks and incidents may be material information triggering disclosure obligations under federal securities laws and regulations – and further identifies particular areas in which cybersecurity disclosure may be appropriate in registration statements under the Securities Act of 1933 and the Securities Exchange Act of 1934 as well as periodic and current reports under the Exchange Act.
The Guidance lists several factors for companies to consider when evaluating the materiality of cybersecurity risks and incidents, including the harm to a company’s reputation, financial performance, customer and vendor relationships, and the possibility of litigation or regulatory investigations or actions. While the SEC recognizes that a company may require time to investigate a cybersecurity incident, the Guidance stresses that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
The Guidance also explains that companies should avoid generalized disclosure regarding cybersecurity matters and provide information that details a company’s specific approach to cybersecurity risks and incidents. Additionally, the Guidance provides that the financial impacts of a cybersecurity incident should be timely incorporated into a company’s financial statements. It also notes that in meeting its disclosure obligations regarding cybersecurity risks, a company may need to disclose previous or ongoing cybersecurity events to place those risks in context.
Policies and Procedures
The Guidance encourages companies to adopt comprehensive policies and procedures related to cybersecurity. It also explains that, consistent with the securities law reforms enacted as part of the Sarbanes-Oxley Act of 2002 legislation, companies should determine whether they have “sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder.”
The Guidance makes clear that information about a company’s cybersecurity risks and incidents may be material nonpublic information subject to insider trading laws and other antifraud provisions. The SEC therefore expects companies to take steps to prevent directors and officers (and other corporate insiders) from trading company securities until investors have been adequately informed about the particular incident or risk. In addition, the Guidance suggests that while companies are investigating significant cybersecurity incidents, they should consider whether it may be appropriate to institute insider trading restrictions with respect to their securities.
Overall, the Guidance demonstrates the SEC’s increasing attention to cybersecurity issues. This follows upon recent actions by other financial regulatory agencies, such as the New York State Department of Financial Services’ implementation of its Cybersecurity Regulations.
Next Steps/Additional Assistance
Contact a member of Phillips Lytle’s Data Security & Privacy Practice Team to discuss how to best address the Guidance in existing policies and procedures. Phillips Lytle is uniquely situated to assist clients with cybersecurity policy development and disclosure of cybersecurity risks and incidents because its lawyers include those who are former technologists, and they have assisted numerous clients in responding to data security incidents, crafting cybersecurity procedures and complying with disclosure obligations.
For questions regarding the SEC Guidance, please contact Jennifer A. Beckage at (716) 847-7093, jbeckage@ phillipslytle.com; Benjamin M. Farber at (518) 618-1218, firstname.lastname@example.org; or Jeffrey D. Coren at (716) 847-7024, email@example.com.