The SEC issued an interpretive release to help guide public companies faced with cybersecurity incidents and risks in late February.
The guidance, applicable as of February 26, 2018, compares the importance of digital information to electricity and other forms of power. Likening cybersecurity to a utility like electric power has some important implications. In the United States, we take the availability of electricity for granted, and even temporary losses of power can yield widespread and sometimes unanticipated negative results. Some individual comments in the interpretive guidance show the potential breadth of what the SEC may deem “material” regarding cybersecurity disclosures.
The guidance identifies several types of costs associated with cyber-breaches, including remediation of a breach, new or increased costs of monitoring or protection, lost revenues, legal and litigation risk, increased insurance burdens, reputational harm, and ultimately impact on a company’s stock price or competitiveness. Notably, assessing the impact of a cyber incident in real time is notoriously difficult; it can take time to assess and understand the scope of the breach and the extent to which data was compromised, and companies may need to work cooperatively with outside consultants and federal agencies after a cybersecurity incident. Nonetheless, based on the SEC guidance, any company that suffers a significant cybersecurity incident should weigh whether the impact on any of these factors might warrant timely and/or enhanced public disclosure.
The SEC appears to anticipate that companies will increase or expand public disclosures about cybersecurity issues, often focusing on risk factors in addition to facts related to actual instances of a data breach. The release discusses including cybersecurity-related disclosures in public companies’ periodic reporting, for example. It also strongly suggests that incident-related disclosures should address the significance of information that may have been compromised in a data breach, and whether the event might impact the daily operations of the company – touching on as many of the factors identified in the previous paragraph that might be material to the investing public.
Legal proceedings related to cybersecurity, like any litigation, could be sufficiently large or significant for a company that the proceeding might warrant a timely disclosure or update. The guidance is fairly pointed about identifying such proceedings, if they are material, with a great degree of specificity. Likewise, an incident of sufficient gravity that might affect cash flow, insurance premiums, sales, revenue or cost issues may impact the company’s financial statements and therefore require public disclosure.
In an interesting caveat, the SEC does not encourage disclosures with such detail that it could compromise the company’s cybersecurity program.
BOARD INVOLVEMENT IN CYBER ISSUES
The SEC also believes that cybersecurity is sufficiently important to demand board-level discussion and oversight. This specifically includes policies and procedures for handling cybersecurity breaches and prevention; currently, there are growing expectations that the board or an appropriate board committee will monitor important compliance issues. Like any other compliance initiative, cybersecurity compliance likely includes an assessment of the sufficiency of a company’s internal controls and cyber defenses and keeping senior management informed of changes in compliance measures. Because many companies’ defenses are exploited by weaknesses in internal controls, this factor may be a very important point to the SEC for disclosure purposes. Notwithstanding this guidance, cybersecurity compliance is among the important issues on compliance officers’ plate. Particularly for companies that have faced cyber attacks or suffered cyber incidents, compliance and remediation could create material costs that a company might need to disclose. Finally, because Exchange Act rules require the principal executive and financial officer to certify the effectiveness of a company’s compliance controls, senior management has a potentially compelling incentive to ensure that disclosures are well-informed, that compliance processes and procedures are appropriate, and that there are no obvious deficiencies in the company’s cyber-defenses. If there were any such obvious deficiencies, signing a certification and failing to publicly disclose known weaknesses could be a source of liability in the future. Cyber compliance was not addressed with the same depth or level of specificity in previous SEC guidance.
The Commission specifically identified trading in company securities based on material nonpublic information to include knowledge of cybersecurity incidents. This is one change or amplification from the SEC’s 2011 guidance on these issues. The guidance suggests companies should not only disclose cyber issues but also prevent corporate insiders from trading securities until informing investors of the gravity and scope of a cybersecurity breach.
THE CHAIRMAN’S COMMENTS ABOUT THE NEW GUIDANCE
SEC Chairman Jay Clayton’s comments on the recent policy emphasize the Commission’s goal of “promoting clearer and more robust disclosure” in this area and in seeking stronger internal controls and procedures regarding cybersecurity threats.
Most companies tend to limit public disclosures surrounding data breaches in the interest of trying to control reputational damage. Until the SEC starts enforcing the new guidance, it remains to be seen whether public companies will follow the guidance or ignore it. The summer 2017 Equifax breach is a good example. Equifax did not disclose key information about the breach until six weeks had passed, and some Equifax managers sold nearly $2 million in stock within days of the company learning about the breach. To date, the SEC has not initiated any public proceedings against the company; based on the new guidance we may see enforcement actions for such conduct in the future.