Background
In October 2011, the Division of Corporate Finance issued guidance that provided views regarding disclosure obligations relating to cybersecurity risks and incidents. The guidance explains that, although no existing disclosure requirement explicitly refers to cybersecurity risk and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents. After the issuance of this guidance, many companies included additional cybersecurity disclosure, typically in the form of risk factors.
On Feb. 21, 2018, the SEC issued interpretive guidance in response to the ongoing risks and threats that cybersecurity presents to our capital markets and to companies operating in all industries, including public companies regulated by the Commission. Companies today rely more and more on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. The U.S. Computer Emergency Readiness Team defines cybersecurity as “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”
Who does this guidance apply to?
- Public companies
When is it effective?
- February 26, 2018
What is the SEC’s new guidance related to cybersecurity disclosures?
- Effective disclosure controls and procedures: Public companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.
- Overview of the incident (without compromising security) and its effect on business operations
- Costs incurred
- Insurance proceeds and potential losses resulting from claims
- Estimates over warranty liability, litigation expenses, and deferred revenue
- Timely notification to investors: Public companies must inform investors about material cybersecurity risks and incidents, including breaches, in a timely fashion.
- Insider trading considerations: Directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding significant cybersecurity risks and incidents, including vulnerabilities and breaches.
Where does this information need to be disclosed?
- Form 10-K and Form 10-Q
- Description of the business
- Risk factors
- Management’s discussion and analysis
- Legal proceedings
- Financial statement disclosures
- Schedule 14A – Risk Oversight by Board of Directors – Item 7
- Form 8-K or Form 6-K to disclose material cybersecurity incidents timely
Why is the SEC providing additional guidance?
- Cybersecurity incidents and the risks that result therefrom may affect a company’s financial statements and may result in:
- Expenses related to investigation, breach notification, remediation, and litigation, including the costs of legal and other professional services.
- Loss of revenue, providing customers with incentives or a loss of customer relationship assets value.
- Claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases.
- Diminished future cash flows; impairment of intellectual, intangible, or other assets; recognition of liabilities; or increased financing costs.
- Disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.
- Information about a company’s cybersecurity risks and incidents may be material nonpublic information; directors, officers, and other corporate insiders would violate the anti-fraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.
How can companies adhere to the SEC guidance?
- Implement disclosure controls and procedures that provide an appropriate method of discerning the impact that cybersecurity risks may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.
- Take all required actions to inform and disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.
- Adopt comprehensive policies and procedures related to cybersecurity and assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.
- Consider how companies’ codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.
Actions to take
Public company executives and their boards should revisit disclosures and disclosure controls and procedures, including controls over the sales of securities by executives. To learn more, or to understand how this cybersecurity guidance may impact your business, please contact us today.