The SEC’s Interpretive Guidance on Cybersecurity—What It Does, Doesn’t Do and Key Takeaways
On February 21, the SEC adopted new interpretive guidance (the Guidance) to assist public companies in preparing disclosures about cybersecurity risks and incidents. Response to the Guidance has been mixed, with some partisan bickering and calls that it does not do enough to meaningfully address cybersecurity risks. Nevertheless, the Guidance makes plain that the SEC is focused on cybersecurity and expects public companies to address and inform investors about material risks and incidents in a timely fashion. While it is not yet apparent how the SEC intends to enforce the Guidance, public companies should take heed. To that end, the following is a brief summary of what the Guidance does, doesn’t do and key takeaways.
What the Guidance Does
The Guidance reinforces previous guidance issued by the SEC’s Division of Corporate Finance in 2011 regarding the importance of disclosing cybersecurity risks and incidents to investors. In doing so, the SEC reminds public companies to consider the materiality of cybersecurity risks and incidents when preparing disclosures for registration statements, as well as periodic and current reports. It explains that materiality of such risks and incidents depend upon their nature, extent, potential harm (including financial and reputational) and potential magnitude, “particularly as they relate to any compromised information or the business and scope of company operations.”
The Guidance also identifies several sections of filings where disclosure should be considered and provides information regarding the types of disclosures that would be appropriate:
- Risk factors: The occurrence, severity and frequency of previous incidents; the probability of future incidents; the potential for reputational harm; costs to maintain protections; the adequacy of preventative actions; and laws and regulations that may affect the company.
- MD&A: The cost of ongoing cybersecurity efforts, as well as cybersecurity incidents; the risk of potential cybersecurity incidents.
- Description of business: The extent to which cybersecurity risks or incidents materially affect a company’s products, services or relationships.
- Legal proceedings: Any cybersecurity-related litigation or legal proceedings, including matters involving theft of customer information.
- Financial statement disclosures: The range and magnitude of financial impacts from cybersecurity incidents, including expenses for response, lost revenue, diminished future cash flows, increased financing costs and impairment of assets.
- Board risk oversight: How the board administers its risk oversight function as it pertains to material cybersecurity risks and how it engages with management on cybersecurity issues.
Through its discussion of disclosures, the SEC makes clear its expectation that public companies will prepare disclosures that are tailored to their business’s cybersecurity risks and incidents.
The Guidance also expands on the 2011 guidance by addressing two additional topics: insider trading and disclosure controls and procedures.
Insider trading: The Guidance emphasizes that undisclosed cybersecurity risks and incidents may constitute material nonpublic information and warns that trading on such information would violate the antifraud provisions of securities laws. The SEC recommends that companies (1) implement “well designed policies and procedures” to prevent trading on such material nonpublic information and (2) consider restrictions to prohibit insider trading while investigating cybersecurity incidents.
Disclosure controls and procedures: The Guidance “encourage[s] companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” Such controls and procedures should “enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communication between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” The SEC notes that effective disclosure controls should ensure that information on cybersecurity risks and incidents is reported to appropriate personnel, including to senior management, so they can make disclosure decisions and certifications.
What the Guidance Doesn’t Do
The Guidance does not address several items that many critics—and some of the commissioners—thought it should. It does not, for example, modify any existing SEC rules. Nor does it create any SEC rules relating to cybersecurity, set minimum cybersecurity standards, or require particular controls or procedures. And it does not identify a specific enforcement mechanism to ensure compliance or impose penalties for noncompliance.
Notably, despite encouraging more robust disclosures relating to cybersecurity risks and incidents, the Guidance does not require companies to make disclosures with details that could enhance their risk. To that end, the Guidance states it “is not intended to suggest that a company should make detailed disclosures that could compromise its security efforts—for example, by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.” The SEC does not expect companies to disclose technical information about their systems or potential system vulnerabilities in such detail that they would be more susceptible to compromise.
- If nothing else, the Guidance provides further evidence that the SEC is concerned about cybersecurity and, in particular, disclosures relating to cybersecurity risks and incidents. Public companies should (1) assess their existing disclosure controls and procedures for consistency with the Guidance and (2) ensure that future disclosures are appropriately tailored to disclose material cybersecurity risks and incidents. They should also be mindful of their ongoing duty to correct and update prior disclosures.
- The Guidance makes clear that it expects boards to be informed decision makers when it comes to cybersecurity risks and incidents. Public companies should implement appropriate procedures to ensure that information about risks and incidents is disseminated appropriately to management and directors and, if appropriate, should consider cybersecurity training for board members.
- Public companies should review and revise insider trading policies and codes of ethics to ensure they will restrict the ability of insiders to trade on information about nonpublic cybersecurity risks and incidents, particularly incidents that are under investigation.