“Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” That sober reminder appears at the beginning of the Securities and Exchange Commission’s February 21, 2018, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the Interpretive Guidance). The Interpretive Guidance reminds public companies and their stakeholders of the increasing risks posed by cyber threats and the critical importance of cybersecurity to most companies. It also emphasizes ways in which cybersecurity risks and incidents regularly intersect with existing disclosure, anti-fraud and insider trading requirements under federal law.
Re-Emphasis of Disclosure Obligations
The Interpretive Guidance largely approves of and reinforces 2011 advice from the staff of the SEC’s Division of Corporate Finance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In particular, the Interpretative Guidance highlights the following disclosure obligations under existing law:
- Areas for Disclosure. Although none of the Securities Act of 1933, the Securities Exchange Act of 1934, or the regulations promulgated under either of those Acts specifically refers to cybersecurity risks or incidents, the Interpretive Guidance reminds companies that the general anti-fraud requirements of those laws remain the guidepost when considering cybersecurity disclosures. Specifically, companies may not make disclosures that are materially misleading, including by omitting material information that renders any disclosures made misleading. The Interpretive Guidance also highlights that the general duties to correct prior disclosures that a company determines were untrue and to update a disclosure that becomes materially inaccurate after it is made when the original disclosure continues to be relied on by reasonable investors apply equally to cybersecurity as in other contexts. Relevant sections of SEC filings in which cybersecurity risks or incidents might be discussed include:
- Risk Factors: As noted in the Interpretive Guidance, substantially all large companies (88 percent of the public Fortune 500 companies and about 78 percent of the Fortune 501-1000 companies according to a 2013 report) include disclosures about the risk of cyber incidents in this section of their SEC filings.
- Management Discussion and Analysis of Financial Condition and Results of Operations: Discussion of cybersecurity issues is warranted if cyber risks or incidents include an event (such as a breach), trend (such as investments intended to prevent breaches) or uncertainty that is reasonably likely to have a material effect on the company’s operating results, liquidity, or financial condition.
- Description of Business: If cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, then disclosure in this section would be required.
- Legal Proceedings: Item 103 of Regulation S-K requires SEC filers to disclose specified information regarding material pending legal proceedings. Suits by customers or others whose information has been compromised could be required to be disclosed in this section. Suits alleging disclosure violations in the wake of a cyber incident, which are becoming increasingly common, also could be required to be disclosed.
- Financial Statements: Implications of cyber risks to financial statements can include, among other things, (1) expense recognition related to the costs of responding to and remediating an incident, (2) potential recoveries from third parties under indemnification provisions in service provider contracts or cyber insurance policies, and (3) impairment of intellectual property or other intangible assets.
- Board Risk Oversight: Item 407(h) of Regulation S-K requires a company to disclose the extent of its board of directors’ role in the risk oversight of the company. To the extent cybersecurity risks are material to a company’s business, this discussion should include the nature of the board’s role in overseeing the management of that risk.
- “Roadmap” Disclosure Not Required. Although there are a variety of different cybersecurity topics that might require disclosure in SEC filings, the Interpretative Guidance reinforces that companies are not required to make detailed disclosures that could compromise the company’s cybersecurity, e.g., by providing a “roadmap” for those seeking to penetrate the company’s cybersecurity protections. The degree of specificity regarding cybersecurity issues necessary to avoid making disclosures on those issues materially misleading remains an under-developed area that is a primary issue in a putative class action recently filed against Advance Micro Devices, a large manufacturer of microprocessors. Although the Interpretative Guidance does not detail the level of specificity required when disclosing cybersecurity issues to avoid liability under federal anti-fraud laws, the reiteration of its prior guidance that “roadmap” disclosure is not required offers companies some level of comfort.
Emerging Emphasis on Insider Trading and Policies and Procedures
The Interpretive Guidance also highlights two topics that were not well developed in the 2011 staff disclosure guidance:
- Insider Trading and Regulation FD issues. Federal anti-fraud laws prohibit trading a security on the basis of material nonpublic information about that security or issuer, in breach of a duty of trust or confidence that is owed to the issuer of the security or the shareholders of the issuer, or to any other person who is the source of the material nonpublic information. Given the costs that can be associated with cyber incidents, including reputational harm, loss of value of intangible assets, and out-of-pocket costs arising from the investigation and remediation of incidents and related legal proceedings, cyber incidents clearly fall within the realm of matters that could be material in today’s business environment. While the materiality of any particular incident will depend on a variety of factors such as the size of a breach or the information taken or accessed without authorization, companies should have cyber incidents on their radar to analyze for materiality as any incidents occur.
Cyber incidents can create difficult situations relating to insider trading because, in addition to their potential materiality, time lags often occur between when a potential incident is identified and when, after sufficient investigation, enough facts are known to determine whether an attack was successful and, if so, whether the incident is material. This may create significant windows in which unlawful trading could occur and that companies should evaluate in addition to considering any duty to correct or update prior disclosures that would be appropriate as the facts of a situation become known. For this reason, the Interpretative Guidance notes that prophylactic measures, such as blackout periods prohibiting directors, officers or other corporate insiders from trading in the company’s securities pending the investigation and public disclosure of a cybersecurity incident often might be advisable. The recent investigation of Equifax’s Chief Financial Officer and other Equifax executives in light of that company’s massive data breach highlights why blackout periods can be advisable even if a blackout is not strictly necessary to avoid violations of insider trading laws.
The Interpretive Guidance also notes that Regulation FD requires public companies that disclose material nonpublic information to certain persons to also disclose that information publicly. Given the potential materiality of cyber incidents discussed above, companies and their spokespeople should be careful not to disclose material nonpublic information regarding cyber risks or incidents selectively to avoid potential violations of Regulation FD.
- Importance of Cybersecurity Policies and Procedures. SEC filers are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Satisfying this obligation requires cross-functional coordination between and among a company’s information technology and security, legal, and accounting personnel to allow the individuals responsible for public disclosure to have the relevant information on cybersecurity matters to formulate public disclosures that are not misleading either by affirmative statements or omissions in light of statements made. In light of the risk of insider trading relating to cybersecurity discussed above, public companies also should ensure that their insider trading policies – and training for directors and employees on those policies – are robust, understandable and taken seriously.
The Interpretive Guidance is a helpful reminder of disclosure and other compliance considerations for companies. Although the SEC to date has not charged any public companies with disclosure violations relating to cyber incidents, the guidance could signal an increased appetite for the SEC to consider taking such action in the future. As the SEC’s cybersecurity web portal explains: “The SEC uses its civil law authority to bring cybersecurity-related enforcement actions that protect investors, hold bad actors accountable and deter future wrongdoing.” That warning provides another incentive for companies to employ sound cybersecurity practices, including:
- Conducting regular cyber risk assessments.
- Regularly (at least annual) engaging with the board of directors or appropriate board committee on cybersecurity matters.
- Routinely updating incident response plans based on emerging threats.
- Periodically practicing implementation of incident response plans across all applicable departments in a company, not just IT.
- Training officers and employees to detect and report suspicious activity, while refraining from trading on or informally publicizing breach investigations.
The Interpretative Guidance’s additional discussion of potential insider trading issues and the importance of maintaining policies and procedures designed to prevent insider trading, combined with the SEC’s focus on insider trading and market abuse, also likely indicate that directors, officers and employees should expect all transactions in a company’s securities near the time of public disclosure of a cyber incident to be scrutinized closely and consideration of measures to avoid even an appearance of impropriety may be advisable. Companies and their directors, officers and employees should consider themselves forewarned of potential heightened scrutiny in this area and continue to track developments on securities trading and cybersecurity disclosure issues closely.