SEC Updates Guidance on Cybersecurity Disclosures
On Wednesday, February 21, 2018, the Securities and Exchange Commission (SEC) issued updated guidanceregarding cybersecurity disclosures, explaining that “[i]n light of the increasing significance of cybersecurity incidents,” it is “critical” for investors to be timely informed about “material cybersecurity risks and incidents” – even in companies which may not yet have been a target of a cyber-attack.
The updated guidance emphasizes:
- the importance of a company’s development of “comprehensive” cybersecurity policies and procedures, including effective disclosure controls and processes; and
- the prohibition against insider trading after a cybersecurity incident.
COMPREHENSIVE CYBERSECURITY POLICIES & PROCEDURES TO DISCERN RISKS & IMPACTS
The SEC guidance “reinforces and expands upon” a 2011 guidance. Now, in order that investors be timely informed, the SEC is encouraging companies to maintain the following:
- “comprehensive” cybersecurity policies and procedures,
- disclosure controls and processes that provide a mechanism for discerning likely risks and impacts, and
- a protocol for determining the likely materiality of those risks and impacts, including timely informing the company’s responsible persons about incidents which it has or is likely to face.
The updated guidance does not define what specific procedures and controls are required to be “sufficient,” but suggests that procedures and controls should exist, ensure that relevant reporting be made up the corporate ladder, and prevent insiders from trading on information regarding cybersecurity risks and incidents.
CONTEXT-SPECIFIC DISCLOSURE; NO MORE “BOILERPLATE”
The updated guidance notes that since the SEC’s last cybersecurity-related guidance in 2011, most companies have begun to disclose cybersecurity risks in required filings. However, the updated guidance now specifically cautions against “generic cybersecurity-related disclosures” or “boilerplate.” As a result, disclosures should be tailored to the company’s own situation.
A detailed disclosure of its defenses is not required, but a company should recognize that material cybersecurity risks and incidents may now include a long list of costs, such as but not limited to:
- loss of revenues, reputation, and intellectual property;
- costs of remediation, litigation, and increased insurance premiums; and
- costs of regulatory compliance – specifically including in a footnote the regulations of the New York State Department of Financial Services, and the European Union General Data Protection Regulation (scheduled to take effect in May 2018).
In particular, companies should consider making disclosures when:
- appropriate aspects of their business give rise to material cybersecurity risks, including industry- or counter-party-specific risks;
- the severity and frequency of prior attacks and their future probability and potential magnitude;
- the cost and adequacy of efforts to prevent or mitigate such attacks; and
- the wide range of possible costs.
Prior cyber-attacks or “incidents” (including occurrences which only “potentially” result in adverse consequences) may be an important part of the context in which risks should be considered and disclosed.
The updated guidance also acknowledges that prohibited insider trading can occur on the basis of material nonpublic information related to cybersecurity risks and incidents, especially during that vulnerable time after an incident has been detected, but before it has been disclosed to the public. Though not directly referenced in the Updated Guidance, this particular reminder may be directed at recent allegations that Equifax executives traded stock ahead of the disclosure of the Equifax data breach.