On Feb. 22, 2018, the Securities and Exchange Commission (SEC) issued its first interpretive guidance since October 2011 on public companies’ cybersecurity risk and incident disclosure obligations. Although public companies are not subject to an express obligation to disclose data security threats under federal law or SEC regulations, the latest guidance confirms that “companies nonetheless may be obligated to disclose such risks and incidents.”
The purposes of the SEC’s new guidance are threefold:
- Reinforce and expand upon the October 2011 guidance;
- Address the importance of the adoption of cybersecurity policies and procedures; and
- Address insider trading within the context of cybersecurity risk exposure.
Reinforcement and Expansion of Existing Risk and Incident Disclosure Guidance
The SEC’s current and prior guidance regarding cybersecurity risk and incident disclosures is derived from five primary sources of authority, each of which may implicate necessary disclosures independently. These sources include companies’ registration disclosure obligations under the Securities Act and Securities Exchange Act, including 10-K and 8-K filings. Public companies also have a general obligation to disclose “such further material information, if any, as may be necessary to make [prior disclosures], in light of the circumstances under which they are made, not misleading.” Rule 408 of the Securities Act (17 CFR 230.408).
The SEC has further stated:
[W]e recognize that a company may require time to discern the implications of a cybersecurity incident. We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation . . . would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.
Adoption of Cybersecurity Policies and Procedures
In its updated guidance, the SEC is advising public companies to adopt “comprehensive” cybersecurity policies and procedures focused not only on mitigating threats, but also on ensuring adequate internal reporting of threats and incidents so they can be disclosed as necessary. As stated in the guidance, “[a] company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure[.]”
In addition, public companies must tailor their cybersecurity policies and procedures to various other aspects of their disclosure-related obligations. This includes requirements for:
- A company’s CEO and CFO to certify the effectiveness of disclosure controls and procedures under Exchange Act Rules 13a-14 and 15d-14, and
- Companies to disclose their conclusions regarding the effectiveness of disclosure controls and procedures under Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F.
Insider Trading Based on Knowledge of Cybersecurity Risks and Incidents
The SEC has also used its new interpretive guidance to remind company insiders of the potential risks of trading while in possession of material nonpublic information about a cybersecurity threat or incident. In the event of a data breach, insiders may have an obligation to refrain from trading in the company’s securities, and the company may also have an obligation to impose restrictions on its officers’, directors’ and other insiders’ securities transactions.
This guidance is material in light of the insider trading charges the SEC recently brought against Equifax’s former chief information officer Jun Ying. According to the SEC, Ying “allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach.” Before Equifax publicly disclosed the breach, Ying allegedly exercised all of his vested Equifax stock options and then sold the shares, avoiding more than $117,000 in losses.
The SEC’s new interpretive guidance on cybersecurity risk and incident disclosures is a worthwhile read for anyone dealing with issues in this realm. It is available on the SEC’s website: Commission Statement and Guidance on Public Company Cybersecurity Disclosures.