On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to disseminate its Statement and Guidance on Public Company Cybersecurity Disclosures, an “interpretive guidance” designed to help publicly-traded companies satisfy their cybersecurity risk disclosure obligations. The new guidance supplements the SEC’s initial October 13, 2011 Cybersecurity Disclosure Guidance, which was relatively broad, by: 1) articulating the SEC’s expectations regarding the adequacy of disclosures; and, for the first time, 2) recommending the implementation of policies and procedures that address disclosure controls as well as insider trading. 

Disclosure Obligations

The SEC’s new guidance, which was released in the wake of several high-profile data breaches, expands on the agency’s earlier position that cybersecurity risks and incidents trigger disclosure obligations in the context of publicly traded companies. While the new guidance reiterates several risk factors identified in the SEC’s 2011 publication, it reinforces  the importance of considering a risk or incident’s materiality in evaluating disclosure obligations, and clarifies the agency’s key expectations regarding the manner in which public companies must inform investors about material cybersecurity risks and incidents:

  • Companies are expected to take all required actions to make appropriate and timely disclosures to investors about cybersecurity incidents or risks of which they are aware.
    • The scope of the initial disclosure may be impacted by the availability of material facts at the time of the initial disclosure as well as the extent to which the company is cooperating with law enforcement.
    • Excusable delays do not eliminate a company’s ongoing duty to correct or update initial disclosures once additional material information becomes available.
  • Disclosures should include information expressly required by applicable federal securities laws as well as other material information.
    • As we previously reported, materiality typically turns on the nature, extent, potential magnitude, and range of harm posed by such cybersecurity risks or incidents. If there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or would have been viewed by a reasonable investor as having “significantly altered the total mix of information available,” then a duty to update may apply.
    • “Companies may need to disclose previous or ongoing cybersecurity incidents or other past events,” including those involving suppliers, customers, competitors, or others, “in order to place discussions of these risks in the appropriate context.”
  • As with all companies, the new guidance places significant weight on Boards of Directors with respect to escalation of issues that potentially may trigger organizational disclosure obligations, but also in the context of oversight. In that regard, the SEC makes clear that including a description of the Board’s role in the disclosure process impacts the extent to which the agency deems a cybersecurity-related disclosure adequate.

Policies and Procedures

The new guidance addresses two topics that were not developed in the initial guidance. First, the new guidance requires public companies to collaborate with their directors, officers, and other key stakeholders responsible for oversight to develop disclosure controls and processes designed to facilitate the timely disclosures of material cybersecurity events that the company has or likely will face.

Second, the new guidance also encourages companies to be mindful of insider trading concerns, noting that directors, officers, and corporate insiders should not trade securities while in the possession of nonpublic material information about cybersecurity risks and incidents before such disclosures are made public. The SEC’s prohibition appears to indirectly correspond to recent allegations that that Equifax executives allegedly sold thousands of companies shares within days of discovering a data breach impacting up to 143 million U.S. consumers. To avoid the appearance of impropriety, the SEC’s new guidance highlights the importance of implementing restrictions on insider trading during the period following a cybersecurity incident and prior to dissemination of the disclosure.

While the SEC’s updated guidance does not provide a definitive framework on which public companies may rely in assessing their cybersecurity risks, it demonstrates the agency’s ongoing commitment to improving transparency among public companies, business partners, and customers, and providing tools for companies to leverage as they enhance their cybersecurity and compliance postures. Adoption of the new guidance suggests that the SEC will be taking a close look at public company disclosures as they relate to cybersecurity risks and incidents. Although the new guidance specifically targets public companies regulated by the SEC, our economy’s increased dependence on networked systems coupled with the proliferation of continuously evolving cyberattacks underscores the criticality of ensuring that all organizations – public and private – adequately prepare for, prevent, and mitigate the consequences of cybersecurity incidents.