On February 21, 2018, the SEC issued new guidance for public companies regarding the disclosure of material cyber risks and incidents affecting their businesses.1 The new guidance updates and expands on guidance issued in October 2011 by the SEC’s Division of Corporate Finance,2 which advised that although no rule explicitly mandates cybersecurity disclosures, cyber risks and incidents could nonetheless be sufficiently material to investors to warrant disclosure in a company’s public filings. The new guidance is similarly non-binding but nonetheless addresses how disclosure of material cyber risks and incidents may be required as part of a company’s existing disclosure obligations. Here are five takeaways from the new guidance.
1. The Guidance Reflects Increased Interest by the SEC in Cybersecurity and Cyber Disclosures – and May Reflect an Appetite for Enforcement Actions in the Future
The past year has seen an increasing focus by the SEC on cybersecurity disclosure issues. For example, last April, Stephanie Avakian, now Co-Director of Enforcement at the SEC, said she could “absolutely” envision a situation in which the SEC would bring an enforcement action for inadequate cyber disclosures.3 In September 2017, SEC Chair Jay Clayton said that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues, and I’d like to see better disclosure around that.”4 Also in September, the SEC announced the creation of a new Cyber Unit within the Enforcement Division that was tasked with investigating a variety of “cyber-related misconduct.”5 Although the SEC has not yet brought an enforcement action over cybersecurity disclosures, the new guidance, coupled with the SEC’s increased interest in the issue, could signal that enforcement actions are on the horizon.
2. The New Guidance Can Be Viewed as a Response to Issues Raised by the Equifax Breach
The new guidance appears to be motivated, at least in part, by Equifax’s massive data breach, which exposed personally identifiable information (PII) for nearly every adult in the United States. Equifax publicly reported the breach in early September 2017, approximately five weeks after the breach was discovered by the company. Both the timeliness and adequacy of Equifax’s disclosure were widely criticized by the public and certain regulators, including state attorneys general. In addition, questions were raised about potential insider trading by certain Equifax executives, who collectively sold $1.8 million of Equifax shares between the time the breach was discovered and the time the breach was disclosed to the public. Equifax has said that an internal review has shown that the sales were appropriate because the executives, including the Chief Financial Officer, did not have knowledge of the breach at the time of the sales.6
The SEC’s guidance appears to address the Equifax breach in at least two ways. First, the guidance clearly takes aim at potential insider trading, admonishing insiders that they must not trade on material nonpublic information regarding cyber incidents. To that end, the guidance recommends that public companies adopt policies and procedures to guard against “corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident.” Second, the guidance also warns companies against taking too long to disclose cyber incidents, advising that companies should “take all required actions” to make timely disclosures. Further, the guidance notes that while some period of delay in disclosure may be appropriate – such as, for example, the need to cooperate with law enforcement – “an ongoing internal or external investigation … would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
3. The Guidance Recommends that Companies Adopt Cybersecurity Disclosure Policies and Procedures
Recognizing that companies may already have cybersecurity risk management policies and procedures and that those policies are “key elements of enterprise-wide risk management,” the guidance encourages companies to also adopt “comprehensive” policies and procedures for cybersecurity disclosures as a means of ensuring compliance with federal securities laws. Specifically, the guidance recommends companies implement policies and procedures that are (i) designed to ensure that relevant information is timely collected, recorded, analyzed, and reported to senior management; (ii) regularly tested and evaluated for their effectiveness; and (iii) included in certifications and disclosures that senior management makes in public filings regarding the design and effectiveness of the company’s disclosure controls and procedures. Further, as discussed above, the SEC also recommends that companies adopt policies and procedures to prevent insiders from trading on material nonpublic information concerning a cyber incident.
4. The Guidance Provides Criteria for Determining if a Cyber Risk or Incident is Material
The guidance outlines criteria to assist companies in determining whether cyber risks or incidents are material to investors and thus subject to disclosure. With respect to determining whether certain cybersecurity risks are material, the guidance counsels that companies consider (i) the frequency and severity of any prior cyber incidents; (ii) the probability and potential harm caused by future incidents; (iii) the adequacy of preventative actions taken by the company; (iv) the existence of any cybersecurity risks that are specific to the company, the company’s industry, or the company’s third-party vendors; (v) the costs associated with regulatory and legal risks, including cyber-related litigation, enforcement actions, and the cost of compliance with new regulations; and (vi) the potential for reputational harm. With respect to determining the materiality of cyber incidents, the guidance recommends that companies consider the impact of the incident on the company’s business and operations; the extent of the harm caused by the incident, including harm to reputation, financial performance, and customer and vendor relationships; and the possibility of litigation and enforcement actions.
5. The Guidance Advises Companies to Avoid Boilerplate Language in Disclosures
The new guidance encourages companies to avoid boilerplate or generic language in cybersecurity disclosures and instead “provide specific information that is useful to investors.” Nonetheless, the SEC recognizes that providing too much information may be counterproductive and that companies need not “disclose specific, technical information about their cybersecurity systems” if such information would provide a “‘roadmap’ for those who seek to penetrate a company’s security protections.”
* * *
In announcing the updated guidance, SEC Chair Jay Clayton noted that as companies “increasingly rely on and are exposed to digital technology as they conduct their business operations” they are exposed to “ongoing risks and threats of cybersecurity incidents.”7 As a result, Clayton urged public companies to “stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.” Given the SEC’s increased focus on this issue, public companies would do well to look again at their cybersecurity disclosures and related policies and procedures to identify potential areas for improvement.
1 SEC Release Nos. 33-10459 & 34-82746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.
2 CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
3 J. Hoover, SEC Suits Over Cyber Reporting Could Be on the Horizon, Law360 (Apr. 20, 2017), available at https://www.law360.com/articles/915377/sec-suits-over-cyber-reporting-could-be-on-horizon.
4 C. Germaine, Clayton Says No Shift in Enforcement Priorities at SEC, Law360 (Sept. 6, 2017), available at https://www.law360.com/articles/961063?scroll=1.
5 Press Release, SEC Announced Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176.
6 Associated Press, Equifax probe finds executives’ $1.8M in stock sales, days after massive data breach, were legal, Chicago Tribune (Nov. 3, 2017), available at http://www.chicagotribune.com/business/ct-biz-equifax-stock-sale-investigation-20171103-story.html.
7 SEC Chairman Jay Clayton, Statement on Cybersecurity Interpretive Guidance (Feb. 21, 2018), available at https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21.