On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities laws and related policies and procedures. Chair Clayton indicated that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”
Although this guidance was unanimously issued, two of the Commissioners questioned whether it adequately addresses the needs of the public markets. In particular, Commissioner Robert J. Jackson Jr. “reluctantly support[ed]” the guidance because it “essentially reiterates years-old staff-level views on this issue,” and Commissioner Kara M. Stein was “disappointed with the Commission’s limited action.” A close review of the SEC Guidance and a comparison to the Corp Fin Guidance (below) reveal that the new guidance appears to be a restatement of existing interpretations with clarifications around the margin, including:
- Materiality remains the hallmark of cybersecurity disclosures, but the SEC Guidance now more clearly identifies the portions of filings that should include these disclosures;
- Negative consequences of cybersecurity incidents are now viewed more broadly as guided by experience over the past seven years;
- The board’s role in overseeing cybersecurity risk management should be disclosed; and
- Disclosure controls should continue to be assessed and disclosed but, unlike the Corp Fin Guidance (which was silent on the subject), those controls now should also explicitly prohibit insiders from trading on material nonpublic information relating to cybersecurity risks and incidents.
Much of the SEC Guidance was already encapsulated more generally in the Corp Fin Guidance and other portions of the federal securities laws and regulations (e.g., the registration and anti-fraud provisions prohibit material misstatements or omissions regardless of whether they relate to cybersecurity). For example, based on the Corp Fin Guidance, public companies have generally disclosed three categories of cybersecurity risks:
- Operations Resiliency – the potential impact on a public company if its information systems or other business technologies fail;
- Data Breach Risk – the threats posed by historical and anticipated cybersecurity incidents given a public company’s business operations; and
- Regulatory Compliance – the costs associated with demonstrating compliance with data privacy, securities, and other laws that are enacted and modified worldwide.
Regardless of the apparent overlap, the SEC Guidance is helpful for the industry because it pulls the relevant guidance together into one reference document. And perhaps the most significant aspect of the SEC Guidance is that it is a formal adoption by the SEC of positions taken by its staff over the past seven years.
Materiality Remains the Hallmark of Cybersecurity Disclosures. Like the Corp Fin Guidance, the SEC Guidance reminds public companies that the federal securities laws require disclosure of material cybersecurity risks and incidents. Similarly, the SEC Guidance notes that the materiality of cybersecurity risks or incidents is a facts and circumstances determination that “depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” The SEC Guidance continues to emphasize that materiality also depends on “the occurrence of prior cybersecurity incidents, including their severity and frequency” and “the adequacy of preventative actions taken to reduce cybersecurity risks” in the context of the public company’s industry.
Also like the Corp Fin Guidance, the SEC Guidance encourages balance in making disclosures ‒ public companies should avoid generic boilerplate disclosures but also need not provide a “road map” that could compromise their own cybersecurity efforts. The SEC Guidance also continues to recognize that public companies may need time to determine the implications of a cybersecurity incident and that cooperating with law enforcement may limit the scope of disclosure.
Where the Corp Fin Guidance previously was silent, the SEC Guidance now indicates that public companies may not avoid disclosures altogether on the basis of an internal or external investigation.
Negative Consequences of Cybersecurity Incidents Now Viewed More Broadly. The SEC Guidance reiterates the same Corp Fin Guidance examples of how public companies “may incur substantial costs and suffer other negative consequences,” including:
- Remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack;
- Increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage that adversely affects customer or investor confidence.
But the SEC Guidance also lists the following examples that are not found in the Corp Fin Guidance:
- Ransomware payments;
- Legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;
- Increased insurance premiums; and
- Damage to the company’s competitiveness, stock price, and long-term shareholder value.
Regardless, both sets of guidance emphasize that public companies put their risks into context for investors to understand. In particular, if a public company has experienced a specific cybersecurity incident, the company likely should discuss the occurrence instead of mentioning it as merely a risk.
Conclusion. Given all this, it is important for public companies to carefully review the SEC Guidance to verify that their public disclosures and related controls satisfy regulatory and investor expectations. This recent guidance illustrates that the SEC is scrutinizing those disclosures and controls and expects public companies to respond accordingly. There is also little doubt that the plaintiffs’ bar will seize on this guidance to support securities class actions going forward.