Sunshine, Disinfectant and SEC Guidance on Cybersecurity Disclosures
The fundamental principle of SEC’s market regulation is the power of sunshine, transparency and disclosure. In other words, the SEC seeks to ensure that companies disclose important information to the public so that securities markets operate efficiently. Whether the SEC has appropriately applied this principle in regulating the securities industry is a debate for another day. The SEC, however, has used this policy goal to address new and significant risks.
Earlier this year, on February 21, 2018, the SEC published new guidance concerning public company disclosures about cybersecurity risks and incidents. (Here). The SEC’s disclosure built on prior guidance issued in 2011 on the same subject. In many respects, the SEC’s new guidance expands its guidance to address a number of new issues.
The SEC’s Guidance is an important document that will be used by its Office of Compliance Inspections and Examinations, and justify regulatory actions against companies for cybersecurity failures. Aside from SEC enforcement actions, the SEC Guidance is likely to be cited by litigants in civil litigation against companies for cybersecurity failures and material omissions and misrepresentations.
In determining the materiality of a cybersecurity risk or incident, the SEC Guidance lists various criteria that companies should consider, including the nature and magnitude of a cybersecurity risk or incident, or the reputational, financial or operational harm that could result from a cybersecurity risk or incident. The SEC Guidance also notes that other considerations include potential litigation and/or regulatory enforcement actions by US or foreign authorities.
The SEC Guidance addresses another important issue – whether an internal or external investigation about a cybersecurity incident should exempt a company from publicly disclosing such an incident as a material event. In addressing this issue, the SEC noted that such an investigation by itself should not provide a justification for avoiding such a disclosure.
The SEC’s Guidance also focuses on disclosures of the board’s role, if any, in the oversight of cybersecurity risks and the manner in which the board interacts and communicates about such risks. Corporate boards have increased their focus on cybersecurity risks. The SEC expects companies to explain what role the board plays in overseeing and monitoring cybersecurity risks and its relationship with management to ensure that such risks are mitigated and appropriately addressed. As a result, corporate board members have to exercise vigilance to understand cybersecurity issues, risks and potential threats.
In response to the SEC enforcement action in the Experian data breach case, the SEC Guidance addressed potential insider trading risks relating to cybersecurity incidents. Specifically, the SEC encouraged companies to adopt ethics and insider trading policies and appropriate controls to prevent insider trading related to a cybersecurity incident. As a basic requirement, companies should adopt a blackout period following a cybersecurity incident.
As another important measure, the SEC urged companies to design and implement robust cybersecurity risk management policies and procedures. As part of this compliance program, the SEC explained that companies should identify and elevate information to ensure that the company makes appropriate discloses relating to cybersecurity risks and incidents.
The SEC Guidance recommends that companies regularly assess the sufficiency of their compliance policies and procedures relating to cybersecurity risks and incidents. As part of these assessments, companies should review documents, interview key personnel and conduct readiness tests.
The SEC Guidance also notes the importance of addressing cybersecurity risks and incidents when acquiring companies. Pre-acquisition due diligence should focus on cybersecurity issues in pre-acquisition due diligence and post-acquisition integration efforts.