SEC Releases New Guidance on Cybersecurity Disclosures and Controls

Second, the guidance is intended to remind companies of the “applicable insider trading prohibitions under the general antifraud provisions of federal securities laws and of their obligations to refrain from making selective disclosures.”

Commission's Guidance and Overview of the Rules Requiring Disclosure of Cybersecurity Issues

The revised 2018 guidance provides a summation of the SEC's rules regarding disclosure obligations for materiality of risk. The SEC guides companies to consider the materiality of cybersecurity risks and incidents in preparation of registration statements under the Securities Act of 1933 and the Securities and Exchange Act of 1934 (Exchange Act) and periodic reporting under the Exchange Act. Although the disclosure requirements of Regulation S-K and Regulation S-X do not specifically refer to cybersecurity, there are other reporting requirements that could trigger and impose a requirement to disclose cybersecurity risks and incidents.

Companies filing periodic reports including annual reporting as part of the company's Form 10-K file are required to disclose specified information regarding their business operations, risk factors, legal proceedings, management's discussion and analysis (MD&A) of financial condition and results of operations, financial statements, disclosure controls and procedures and corporate governance. The SEC's guidance states “companies must provide timely and ongoing information in these periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.”

The guidance also makes it clear that Securities Act and Exchange Act registration statements must disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. The SEC recommends that companies consider the adequacy of their cybersecurity related disclosures among other things in the context of Sections 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act. Moreover, the SEC as part of this guidance reminds companies they are required to disclose “further material information if any as may be necessary to make the required statements in light of the circumstances under which they are made, not misleading.” The SEC considers “omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

Disclosure Analysis and Materiality of Cybersecurity Risk

The SEC's guidance offers explanation on how to best identify disclosure obligations concerning cybersecurity risks and incidents. According to the guidance, companies should generally weigh the potential materiality of any identified risks and in the case of cyber incidents the importance of any compromised information and the impact of the incident on the company's operations.

Factors to be considered with respect to materiality involve the nature of the risks, the extent, potential magnitude, and effect on the business and scope of operations. Materiality may also depend on the severity of the harm to the company's reputation, financial performance, and customer and vendor relationships as well as the possibility of litigation or regulatory investigations.

The guidance explains that companies are not required to provide a road map of disclosures that could compromise existing cybersecurity efforts or enable attackers to take advantage of such disclosure, i.e., specific technical information about cybersecurity systems, related networks and devices or potential system vulnerabilities.

Additionally, the guidance makes clear that the SEC understands that some material facts may not be available at the time of initial disclosures, but that ongoing internal investigations or cooperation with law enforcement as part of such investigations will not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.

Lastly, the guidance reminds companies of a duty to correct prior disclosures if later determined untrue or material facts were omitted at the time the statement was made. The SEC guidance recommends companies consider whether they should revisit or refresh previous disclosures during the investigation of a cybersecurity incident.

Summary of Risk Factors

Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the companies speculative or risky. The SEC guidance recommends that companies consider the following in evaluating cybersecurity risk factors:

• The occurrence of prior cybersecurity incidents, including their severity and frequency;
• The probability of the occurrence and potential magnitude of cybersecurity incidents;
• The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate discussing the limits of the company's ability to prevent or mitigate certain cybersecurity risks;
• The aspects of the company's business and operations that give rise to material cybersecurity risks and potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
• The costs associated with maintaining cybersecurity protections, including if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
• The potential for reputational harm;
• Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
• Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

Management Discussion and Analysis of Financial Condition and Results of Operations

In consideration of disclosures relevant for MD&A of financial condition and results of operations, companies are required under Item 303 of Regulation S-K and Item 5 of Form 20-F to discuss a company's financial condition and results of operations. The SEC guidance puts costs associated with ongoing efforts to manage cybersecurity risks and incidents in the context of the SEC's current requirements surrounding these specific disclosures.

Factors that companies should consider in the context of these disclosures include the costs associated with loss of intellectual property; costs related to managing the incident, as well as costs associated with prevention, insurance, responding to litigation, regulatory investigations, preparing and complying with proposed legislation, remediation efforts, addressing reputational harm and loss of competitive advantage.

Financial Reporting

Additionally, the guidance also addresses the necessity of companies making disclosures when such disclosures could directly impact the company's financial statements. To the extent cybersecurity incidents and the resulting risks may affect a company's financial statements, the SEC expects that a company's financial reporting and control systems would be designed to provide reasonable assurances that information about the range and magnitude of the financial impact of a cybersecurity incident would be incorporated into such reporting. The SEC provides the following examples associated with a cybersecurity incident that could impact financial reporting:

• Expenses related to investigation; breach notification, remediation and litigation, including the costs of legal and other professional services;
• Loss of revenue, providing customers with incentives or loss or customer relationship asset value;
• Claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premiums; and
• Diminished future cash flows, impairment of intellectual, intangible or other assets, recognition of liabilities; or increased financing costs.

Board Risk Oversight

Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclose the extent of its board of director's role in the risk oversight of the company. The SEC guidance makes it clear that to the “extent cybersecurity risks are material to a company's business we believe this discussion should include the nature of the board's role in overseeing management of that risk.”

Additionally, the guidance makes it clear that “disclosures regarding a company's cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Policies and Procedures

Under Exchange Act Rules 13a-15 and 15-15, companies must maintain disclosure controls and procedures and management must evaluate their effectiveness. The rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is: 1) recorded, processed, summarized and reported, within the time periods specified in the SEC's rules and forms; and 2) accumulated and communicated to the company's management … as appropriate to allow timely decisions regarding required disclosures.

The guidance notes that cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management include compliance with federal securities laws. The guidance encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures related to a cybersecurity disclosure.

The guidance recommends that companies assess whether they have sufficient controls and procedures in place to ensure that relevant information about cybersecurity risks is processed and reported to appropriate personnel, including up the corporate ladder to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures to prohibit directors, officers and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.

Insider Trading

The SEC guidance encourages companies to consider how their code of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.

Moreover, the guidance makes it clear that while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether it is appropriate to implement restrictions on insider trading of securities.

Finally, the guidance cautions companies to consider strategies to avoid the appearance of improper trading during the period following an incident, and prior to the dissemination of disclosure.

Regulation FD and Selective Disclosure

Finally, the SEC's guidance makes clear that companies are expected to have policies and procedures designed to ensure that any disclosures of material nonpublic information related to cybersecurity are in compliance with Regulation FD. Under Regulation FD, “when an issuer or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of this information.”

The issue of concern is the selective disclosure of material nonpublic information to certain persons prior to making disclosures of the same material to the general public. The bottom line from the SEC's perspective is that companies and persons acting on their behalf should not selectively disclosure material nonpublic information regarding cybersecurity incidents to Regulation FD enumerated persons before making full disclosures of that same information to the general public.

The SEC's expectation is that these policies and procedures ensure that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively and that any Regulation FD required public disclosure is made simultaneously and is compliant with Regulation FD.

Recommendations

Companies should strongly consider consulting with their securities counsel and a qualified cybersecurity counsel to review this guidance and consider the following:

• Conduct a risk assessment to evaluate cybersecurity risks subject to the attorney-client privilege in order to evaluate past disclosures and in consideration of future disclosure.
• Determine if past cybersecurity incidents warrant new or updated disclosures in light of this guidance.
• Immediately review and update incident response plans to address this guidance and ensure pre-breach and post breach planning confirm to the regulatory requirements referenced in this guidance.
• Examine existing policies and procedures and where deficient immediately adopt new policies and procedures to ensure compliance with this guidance and existing regulatory requirements.
• Conduct awareness training for the board of directors and senior management regarding this guidance and specifically on the topic of insider trading.
• Prepare in advance through the use of tabletop exercises to access incident response and incorporation of the newly issued guidance into the response.

*****

David F. Katz is a partner in Nelson Mullins Riley & Scarborough's Atlanta office where he leads the Privacy and Information Security Practice Group. He may be reached at 404-322-6122 or by email at [email protected].