As cybersecurity attacks have continued to gain prominence as a threat posing critical risk management and compliance challenges for financial institutions, the Securities and Exchange Commission (SEC) has emerged as an active federal regulator in this arena. In September 2017, the SEC announced creation of a Cyber Unit housed within the SEC’s Enforcement Division that targets cyber-related misconduct, including hacking to obtain material nonpublic information, intrusions into retail brokerage accounts, and cyber-related threats to trading platforms and other critical market infrastructure. A little over a year prior to this announcement, Morgan Stanley paid $1 million to settle charges based on the SEC’s findings that the institution had failed to adopt reasonable policies and procedures to protect confidential customer information, which led to the hacking of data from approximately 730,000 customer accounts.
Most recently, in February 2018, the SEC issued a statement and interpretive guidance (2018 Guidance), applicable to public operating companies, that outlines the SEC’s views regarding disclosure requirements in the context of cybersecurity. The 2018 Guidance reinforces and expands upon guidance issued in 2011 (2011 Guidance). The 2018 Guidance also addresses two additional topics: the importance of maintaining cybersecurity policies and procedures; and the relevance of insider trading prohibitions with respect to cybersecurity. The genesis of the 2018 Guidance is the SEC’s belief that “[g]iven the frequency, magnitude and cost of cybersecurity incidents . . . it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
Guidance on Disclosure Requirements
Like the 2011 Guidance, the 2018 Guidance notes that “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents.” The 2018 Guidance, however, goes on to highlight the specific requirements, set forth in Regulation S-K (17 C.F.R. Part 229) and Regulation S-X (17 C.F.R. Part 210), that may trigger the need for cyber-related disclosures in registration statements and in periodic and current reports. Those requirements and circumstances, which are discussed in much greater detail in the 2018 Guidance, include:
- Disclosure of Risk Factors – Companies are required to disclose the most significant factors that make investing in a company’s securities risky, and the 2018 Guidance states that cybersecurity risks and incidents could rank among a company’s most significant risk factors. The 2018 Guidance includes a series of issues a company should consider in determining whether cybersecurity risks or incidents should be disclosed as risk factors, including the occurrence of prior cybersecurity incidents and the probability of future incidents. The 2018 Guidance notes that, in order to place cybersecurity risks in context and effectively communicate those risks to investors, a company may be required to disclose past or ongoing incidents.
- Disclosure of Material Effects on Financial Condition – As part of management’s discussion and analysis (MD&A) of financial condition and results of operations, companies are required to highlight events, trends, or uncertainties that are reasonably likely to have a material effect on the company’s financial condition or that would render already reported financial information not necessarily indicative of future results or condition. The 2018 Guidance notes that the direct costs of cybersecurity measures and incidents, as well as costs associated with cybersecurity issues (e.g., loss of intellectual property, responding to regulatory investigations, preparing for and complying with cybersecurity legislation), may be appropriate to include in a company disclosure of MD&A.
- Disclosure in Description of Business – The 2018 Guidance observes that companies may need to disclose cybersecurity incidents and risks as part of the required discussion of products, services, relationships with customers and suppliers, and competitive conditions, to the extent such incidents and/or risks impact those business components.
- Disclosure of Legal Proceedings – Companies are required to disclose information regarding material pending legal proceedings, which the 2018 Guidance notes may encompass proceedings related to cybersecurity issues (e.g., litigation by customers related to a cybersecurity breach involving theft of confidential customer information).
- Financial Statement Disclosures – The 2018 Guidance states that cybersecurity incidents may impact a company’s financial statements in a variety of forms, including expenses related to investigation of cyber-attacks and breach notifications, loss of revenue, and breach of contract claims.
- Disclosure of Board Oversight of Risk – Companies are required to disclose the extent to which their boards of directors are involved in risk oversight, and the 2018 Guidance indicates that this disclosure should include a discussion of a board’s role in managing cybersecurity risks, to the extent such risks are material to a company’s business.
Policies and Procedures
The 2018 Guidance goes beyond the 2011 Guidance in emphasizing the critical importance of cybersecurity risk management policies and procedures as part of a company’s enterprise-wide risk management, as well as a company’s compliance with federal securities laws related to internal controls and procedures. The 2018 Guidance encourages the adoption of comprehensive cybersecurity policies and procedures and the regular compliance assessment of such policies and procedures, including assessment of controls and procedures for processing and reporting relevant cybersecurity information for disclosure consideration. Noting the requirement for a company’s principal executive officer and financial officer to make certifications regarding the effectiveness of disclosure controls and procedures, the 2018 Guidance emphasizes that such certifications should account for the adequacy of controls and procedures for identifying and analyzing cybersecurity risks and incidents.
Finally, the 2018 Guidance emphasizes the applicability of insider trading laws in the context of cybersecurity risks and incidents. Specifically, the 2018 Guidance indicates that information regarding cybersecurity risks and incidents may constitute material nonpublic information, such that the trading of company securities by directors, officers, and other corporate insiders on the basis of such information would violate the antifraud provisions of federal securities laws.
Relatedly, the 2018 Guidance also highlights the obligations of companies under Regulation FD (17 C.F.R. § 243.100), which requires companies to publicly disclose the selective disclosure of material nonpublic information to certain persons listed under the regulation. The 2018 Guidance simply notes that the disclosure of material nonpublic information related to cybersecurity would be captured by the requirements of Regulation FD.
SEC Enforcement for Failure to Disclose
Just two months after issuing the 2018 Guidance, the SEC announced the payment of a $35 million penalty by Altaba, Inc., the successor to Yahoo, Inc., to settle charges that Yahoo misled investors by failing to disclose a massive hack of personal data for millions of customers. Specifically, the SEC’s order stated that Russian hackers stole personal information for Yahoo customers in December 2014 and that, despite learning of the breach within days of the intrusion, Yahoo failed to disclose the breach in quarterly and annual reports over the subsequent two years. In addition to finding that Yahoo had breached its disclosure obligations, the SEC found that Yahoo had failed to maintain reasonable disclosure controls and procedures. In announcing the payment of the $35 million penalty, the SEC cited the adoption of the 2018 Guidance earlier this year.
In the current environment of deregulation, the regulatory focus on cybersecurity shows no signs of abating. Notably, the Economic Growth, Regulatory Relief, and Consumer Protection Act signed by President Trump on May 24, 2018, which modifies or eliminates certain requirements under the Dodd-Frank Act, includes a requirement for the Secretary of the Treasury to submit to Congress a report within one year of the bill’s enactment on the risks of cyber threats to financial institutions. Among other information, the report must include an analysis of how the Federal banking agencies and the SEC are addressing cybersecurity risks and recommendations on whether any of the agencies require additional measures and resources to address such risks. The report may further bolster the sustained focus on cybersecurity by the SEC, and it may prompt the Federal banking agencies to issue further guidance and/or revisit enhanced cyber risk management standards for large entities and their service providers, which were presented in an advance notice of proposed rulemaking in October 2016 but never advanced further by the agencies.
We will be monitoring future activity by the SEC (and other Federal regulators) with respect to cybersecurity, including SEC enforcement actions that may further define the agency’s views regarding disclosure requirements. If you have questions about your company’s cybersecurity disclosure obligations, you can contact any member of our Privacy & Data Security practice group for more information.
Brian Soja is a former OCC enforcement attorney who advises global financial institutions in responding to government investigations and inquiries, including investigations involving reference rates and foreign exchange trading, and tax and AML questions raised by the leak of the Panama Papers data. He also advises clients on compliance with various regulations, including the Home Mortgage Disclosure Act (Regulation C), Regulation W, and FDIC regulations on brokered deposits and golden parachutes.