On February 21 the SEC issued a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”. The Release contains new guidelines and requirements regarding public companies’ disclosure responsibilities for cybersecurity situations. No new rules or regulations have been issued at this point, but the Release contains some valuable guidance. It is also clear that cybersecurity is a hot button for the SEC and for Chair Clayton, and I believe that cybersecurity disclosure issues will be subject to more rigorous scrutiny going forward. All public companies should carefully review the Release and evaluate their disclosure obligations in connection with cybersecurity.
The Release updates the SEC’s position on cybersecurity. The SEC’s previous guidance in this area was primarily a Corporation Finance Division Release issued in 2011 that did not contain specific disclosure requirements. The cybersecurity landscape has changed radically since then. The substantial increases in the number and severity of cybersecurity incidents, coupled with the growing dependence of businesses on cyber systems and the associated problems that arise in a cybersecurity incident, have clearly convinced the SEC that additional disclosure is required.
The Release also confirms the SEC’s perception of the critical importance of cybersecurity issues for public companies. Chair Clayton clearly communicates this in his announcment accompanying the Release, where he says “I believe that providing the Commission’s views on these [cybersecurity] matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He also focuses in on several areas of interest for the SEC, urging public companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
The SEC’s new Release confirms that the 2011 Release remains valid, but stresses that the new Release is intended to reinforce and expand the 2011 Release. The new Release also focuses on two topics that the 2011 Release did not address: (1) the importance of having robust cybersecurity policies and procedures in place and (2) the application of insider trading prohibitions in cybersecurity situations. It is clear that the SEC will be focusing on these areas going forward, and public companies should accordingly carefully review their cybersecurity policies and procedures to reduce or eliminate SEC comments on filings and other forms of scrutiny. Additionally, public company executives should be very careful regarding any transactions in their companies’ securities and how they might be viewed in connection with any cybersecurity incidents or situations. This last item resulted from recent data breach and cybersecurity situations in which company executives sold securities before the incident was disclosed to the public.
The Release contains some fairly specific Securities Act and Exchange Act disclosure obligations for public companies. This guidance relates to periodic reports, registration statements and current reports. While cybersecurity disclosure is not specifically contemplated in current regulations, the Release clearly elevates cybersecurity issues to required disclosure status where material. Materiality is tied to the potential harm that a cybersecurity risk or incident could cause, and includes such items as reputational harm, financial performance, customer and vendor relationships, litigation, and regulatory investigations or actions by state and federal governmental authorities as well as non-US authorities. Specific areas of focus for cybersecurity disclosure mentioned in the Release are the MD&A, risk factors, description of business, legal proceedings, financial statement disclosure, and board risk oversight. The Release also warns against selective disclosure of cybersecurity information under Regulation FD.
SEC Commissioners Stein and Jackson supported the Release but expressed some concern that the Release did not go far enough and that official new disclosure requirements need to be implemented. Commissioner Stein’s Statement on the Release can be found here.
The Release shows some practicality as it clarifies that the SEC does not expect public companies to disclose technical details regarding their cybersecurity systems and procedures or related vulnerabilities, as this might aid or expedite efforts by hackers in intruding into the company’s cyber systems. The Release makes clear, however, that the SEC expects public companies to disclose material cybersecurity risks and incidents, including related financial, legal or reputational consequences. The Release specifically mentions that where a public company has identified a cybersecurity incident or risk that would be material to investors, the company must make appropriate and timely disclosure of such items sufficiently prior to any offer or sale of securities and must also take appropriate steps to prevent officers, directors and other corporate insiders from trading in the company’s securities until appropriate public disclosure has been made. The Release also states that companies should revisit prior disclosure in the cybersecurity area and determine if it needs to be corrected or updated to reflect the company’s actual situation in light of current cybersecurity concerns.
The Release is a valuable tool for public companies, as it provides some real guidance on a public company’s disclosure obligations in the cybersecurity area. While not imposing any new rules or regulations, the Release provides some very helpful guidance on the SEC’s stance in this area. I believe that this additional rulemaking will happen at some point relatively soon, but for now this Release is a critical resource that all public companies should carefully review and