The Release reinforces and expands CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “2011 Guidance”), which provided interpretive guidance on cybersecurity disclosure requirements published by the staff of the SEC Division of Corporation Finance in October 2011. The principal objective of the 2011 Guidance was to state the staff’s view that, although no existing disclosure requirement under the federal securities laws explicitly refers to cybersecurity risks or incidents, public companies may still have an obligation to disclose these risks and incidents. The Release represents the Commission’s endorsement of the staff’s 2011 Guidance, and adds discussion of the Commission’s views concerning three areas in which the Commission believes that company policies should reflect cybersecurity risks and incidents, which were not discussed in the 2011 Guidance.
In his statement on the Release, SEC Chair Jay Clayton urged companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” He added that he has asked the Division of Corporation Finance to carefully monitor cybersecurity disclosures, and stated that the Commission will continue to evaluate cybersecurity developments and consider whether any further guidance or rules are needed.
Materiality. The Release reminds companies that disclosure of cybersecurity risks and incidents may be required if these risks or incidents could be material in a company’s specific circumstances. Materiality is fact-intensive, and materiality judgments depend on the nature, extent, and potential magnitude of these risks and incidents. Materiality may also depend on the potential range of harm, such as harm to a company’s reputation, financial performance, and customer and vendor relationships, or the possibility of litigation or regulatory investigations or actions by state and federal governmental authorities and non-U.S. authorities. The Release states that its guidance is not intended to suggest that companies should make disclosures that could compromise their cybersecurity efforts.
Specific Disclosure Areas. Like the 2011 Guidance, the Release specifically discusses potential disclosures in the following sections of registration statements and periodic reports: Risk Factors; Managements’ Discussion and Analysis of Financial Condition and Results of Operations; Business; Legal Proceedings; financial statements (including the footnotes to the financial statements); and board oversight of risks facing the company. The Release highlights the potential need for companies that have previously experienced cybersecurity incidents to disclose those incidents “in order to place discussions of these risks in the appropriate context.” In these circumstances, companies should be aware that disclosure of potential risks alone may not be sufficient under the federal securities laws.
Disclosure Controls and Procedures. The Release reminds companies that the Securities Exchange Act and SEC rules 13a-15 and 15d-15 require companies to maintain disclosure controls and procedures, and require management to evaluate and certify their effectiveness. Consistent with the earlier discussion of disclosure about cybersecurity risks and incidents, the Release also states that “[a] company’s disclosure controls and procedures should not be limited to disclosure specifically required” by SEC rules. A company’s disclosure controls and procedures should include cybersecurity risks and incidents, and the related disclosures and certification should include cybersecurity risks and incidents.
Insider Trading. The Release notes that information about cybersecurity risks and incidents, especially information about vulnerabilities and breaches, may be material nonpublic information. Trading by directors, officers and other company insiders may violate prohibitions on insider trading under federal securities laws and stock exchange rules. The Release encourages companies to consider how their codes of ethics and insider trading policies address trading based on material nonpublic information about cybersecurity risks and incidents, especially during periods when a company is investigating and assessing potentially significant cybersecurity incidents.
Regulation FD and Selective Disclosure. Finally, the Release states that a company’s obligations under Regulation FD apply to material nonpublic information about cybersecurity matters. The Commission states that it “expect[s] companies to have policies and procedures to ensure that any disclosure of material nonpublic information related to cybersecurity risks and incidents are not made selectively” or in violation of Regulation FD’s requirements concerning public disclosure of material nonpublic information.
Action Considerations for Companies
- Although the disclosure guidance in the Release largely restates prior guidance, the Release is a reminder that companies should regularly (for example, quarterly) review their disclosure about cybersecurity risks and incidents (both actual and potential) in their Form 10-K and Form 10-Q reports.
- Companies should review their policies in the following areas to ensure that the structure and operation of these policies is appropriately attuned to cybersecurity matters:
- Disclosure controls and procedures;
- Insider trading policies, especially those involving trading clearance and decisions to open and close trading windows; and
- Regulation FD policies.
By adopting the Release, the Commission may also be signaling its willingness to pursue enforcement actions for violations of federal securities laws and rules as interpreted in the Release. In addition to the disclosure considerations covered in the Release, companies should review with particular care their disclosure controls and procedures, insider trading policies and Regulation FD/selective disclosure policies to minimize potential risk of SEC scrutiny, which could range from staff comments on SEC filings to subpoenas for information or enforcement actions.
Companies should also remember that although SEC rules and guidance are critical factors when companies make decisions about public disclosure, cybersecurity matters may also be subject to other important considerations. For example, the structure of an investigation following a cybersecurity incident, and the selection of company and outside personnel involved, may be driven by legal and practical considerations that are separate from federal securities disclosure considerations. In order to ensure that all relevant areas of good disclosure and good counsel are addressed expeditiously, companies establish contingency plans to deal with cybersecurity events, and should consult with experienced counsel immediately when a potential cybersecurity incident is threatened or has occurred.