Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
On Feb. 21, 2018, the Securities and Exchange Commission (SEC) voted unanimously to approve a statement and interpretive guidance to assist the public in preparing disclosures about cybersecurity risks and incidents. The SEC's February 2018 guidance expands upon previous guidance provided in October of 2011 by the SEC's Division of Corporate Finance, which addressed the Division's views regarding disclosure obligations relating to cyber risks and incidents.
In response to the October 2011 guidance, many companies included additional cybersecurity disclosures in the form of risk factors. The SEC, in response to “increasing significance of cyber security incidents,” has determined it is necessary to provide companies with further guidance on managing cybersecurity risks and disclosures of such risks.
The 2018 guidance consists of two main topics that were not developed as part of the 2011 guidance. First, the updated guidance emphasizes the criticality of establishing and maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to “establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.”
Second, the guidance is intended to remind companies of the “applicable insider trading prohibitions under the general antifraud provisions of federal securities laws and of their obligations to refrain from making selective disclosures.”
|The revised 2018 guidance provides a summation of the SEC's rules regarding disclosure obligations for materiality of risk. The SEC guides companies to consider the materiality of cybersecurity risks and incidents in preparation of registration statements under the Securities Act of 1933 and the Securities and Exchange Act of 1934 (Exchange Act) and periodic reporting under the Exchange Act. Although the disclosure requirements of Regulation S-K and Regulation S-X do not specifically refer to cybersecurity, there are other reporting requirements that could trigger and impose a requirement to disclose cybersecurity risks and incidents.
Companies filing periodic reports including annual reporting as part of the company's Form 10-K file are required to disclose specified information regarding their business operations, risk factors, legal proceedings, management's discussion and analysis (MD&A) of financial condition and results of operations, financial statements, disclosure controls and procedures and corporate governance. The SEC's guidance states “companies must provide timely and ongoing information in these periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.”
The guidance also makes it clear that Securities Act and Exchange Act registration statements must disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. The SEC recommends that companies consider the adequacy of their cybersecurity related disclosures among other things in the context of Sections 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act. Moreover, the SEC as part of this guidance reminds companies they are required to disclose “further material information if any as may be necessary to make the required statements in light of the circumstances under which they are made, not misleading.” The SEC considers “omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”
|The SEC's guidance offers explanation on how to best identify disclosure obligations concerning cybersecurity risks and incidents. According to the guidance, companies should generally weigh the potential materiality of any identified risks and in the case of cyber incidents the importance of any compromised information and the impact of the incident on the company's operations.
Factors to be considered with respect to materiality involve the nature of the risks, the extent, potential magnitude, and effect on the business and scope of operations. Materiality may also depend on the severity of the harm to the company's reputation, financial performance, and customer and vendor relationships as well as the possibility of litigation or regulatory investigations.
The guidance explains that companies are not required to provide a road map of disclosures that could compromise existing cybersecurity efforts or enable attackers to take advantage of such disclosure, i.e., specific technical information about cybersecurity systems, related networks and devices or potential system vulnerabilities.
Additionally, the guidance makes clear that the SEC understands that some material facts may not be available at the time of initial disclosures, but that ongoing internal investigations or cooperation with law enforcement as part of such investigations will not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.
Lastly, the guidance reminds companies of a duty to correct prior disclosures if later determined untrue or material facts were omitted at the time the statement was made. The SEC guidance recommends companies consider whether they should revisit or refresh previous disclosures during the investigation of a cybersecurity incident.
|Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the companies speculative or risky. The SEC guidance recommends that companies consider the following in evaluating cybersecurity risk factors:
In consideration of disclosures relevant for MD&A of financial condition and results of operations, companies are required under Item 303 of Regulation S-K and Item 5 of Form 20-F to discuss a company's financial condition and results of operations. The SEC guidance puts costs associated with ongoing efforts to manage cybersecurity risks and incidents in the context of the SEC's current requirements surrounding these specific disclosures.
Factors that companies should consider in the context of these disclosures include the costs associated with loss of intellectual property; costs related to managing the incident, as well as costs associated with prevention, insurance, responding to litigation, regulatory investigations, preparing and complying with proposed legislation, remediation efforts, addressing reputational harm and loss of competitive advantage.
|Additionally, the guidance also addresses the necessity of companies making disclosures when such disclosures could directly impact the company's financial statements. To the extent cybersecurity incidents and the resulting risks may affect a company's financial statements, the SEC expects that a company's financial reporting and control systems would be designed to provide reasonable assurances that information about the range and magnitude of the financial impact of a cybersecurity incident would be incorporated into such reporting. The SEC provides the following examples associated with a cybersecurity incident that could impact financial reporting:
Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclose the extent of its board of director's role in the risk oversight of the company. The SEC guidance makes it clear that to the “extent cybersecurity risks are material to a company's business we believe this discussion should include the nature of the board's role in overseeing management of that risk.”
Additionally, the guidance makes it clear that “disclosures regarding a company's cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
|Under Exchange Act Rules 13a-15 and 15-15, companies must maintain disclosure controls and procedures and management must evaluate their effectiveness. The rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is: 1) recorded, processed, summarized and reported, within the time periods specified in the SEC's rules and forms; and 2) accumulated and communicated to the company's management … as appropriate to allow timely decisions regarding required disclosures.
The guidance notes that cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management include compliance with federal securities laws. The guidance encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures related to a cybersecurity disclosure.
The guidance recommends that companies assess whether they have sufficient controls and procedures in place to ensure that relevant information about cybersecurity risks is processed and reported to appropriate personnel, including up the corporate ladder to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures to prohibit directors, officers and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
|The SEC guidance encourages companies to consider how their code of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.
Moreover, the guidance makes it clear that while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether it is appropriate to implement restrictions on insider trading of securities.
Finally, the guidance cautions companies to consider strategies to avoid the appearance of improper trading during the period following an incident, and prior to the dissemination of disclosure.
|Finally, the SEC's guidance makes clear that companies are expected to have policies and procedures designed to ensure that any disclosures of material nonpublic information related to cybersecurity are in compliance with Regulation FD. Under Regulation FD, “when an issuer or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of this information.”
The issue of concern is the selective disclosure of material nonpublic information to certain persons prior to making disclosures of the same material to the general public. The bottom line from the SEC's perspective is that companies and persons acting on their behalf should not selectively disclosure material nonpublic information regarding cybersecurity incidents to Regulation FD enumerated persons before making full disclosures of that same information to the general public.
The SEC's expectation is that these policies and procedures ensure that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively and that any Regulation FD required public disclosure is made simultaneously and is compliant with Regulation FD.
|Companies should strongly consider consulting with their securities counsel and a qualified cybersecurity counsel to review this guidance and consider the following:
*****
David F. Katz is a partner in Nelson Mullins Riley & Scarborough's Atlanta office where he leads the Privacy and Information Security Practice Group. He may be reached at 404-322-6122 or by email at [email protected].
|ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.