The Securities and Exchange Commission (SEC) has just published Interpretive Guidance to “assist” public companies with evaluation and reporting of their cybersecurity risks. This Guidance expands similar SEC guidance issued in 2011, reflecting the growing importance of the issue and highly-publicized cybersecurity breaches during the intervening years. The following discussion summarizes the new Guidance, and provides context.
What is SEC’s General Approach to Reporting and Disclosures?
SEC administers reporting requirements for companies listed on national securities exchanges (“listed companies” or “public companies”), under the federal securities laws, including the Securities Act of 1933 and the Securities Exchange Act of 1934. These requirements include detailed specifications for some reporting, such as financial reporting consistent with Generally Accepted Accounting Practices (GAAP). But SEC also administers vaguer reporting standards – including requirements to report any information that might be “material” to investors’ evaluation of a public company. Materiality is open to wide differences in interpretation, at any given time across companies with different activities and resources, and over time based on developments in markets and the wider world.
There are no explicit regulatory requirements for companies to address cybersecurity, but SEC’s growing conviction is that cybersecurity breaches are often “material,” and that cybersecurity risks can be material as well.
What was SEC’s Advice in 2011?
In October 2011, SEC’s Division of Corporation Finance issued CF Disclosure Guidance: Topic Number 2 Cybersecurity. This Guidance noted companies’ increasing dependence on digital technologies, and the accompanying increase in the risks and scale of possible disruption to their electronic systems, and of the frequency and severity of actual disruptions. This Guidance applied the following working definition of cybersecurity:
“Cybersecurity is the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”
SEC noted that cybersecurity breaches can occur in a number of ways, including intrusions designed to steal information or harm networks, as well as denial of service attacks. Costs can include costs of preventive measures, and damages related to actual incidents. Damages can include direct damages, remediation costs, increased costs to augment security, lost revenues, litigation, and reputational damage. SEC offered its guidance to help companies and members of the legal and accounting professions to describe these risks and their related impact on operations, within the framework of companies’ disclosure obligations under the federal securities laws. SEC also intended to address concerns that overly-detailed reporting might provide a “roadmap” for hackers and others.
With those factors in mind, SEC directed companies to consider which risks and outcomes are “material” to their operations. SEC also focused on possible inclusion of cybersecurity issues in compliance with general reporting requirements:
-
Risk factor disclosures in present operations and future projections (e.g., Regulation S-K, Item 503)
-
Management’s discussion and analysis of financial conditions and results of operations (MD&A; e.g., Regulation S-K, Item 303)
-
Description of business (e.g., Regulation S-K, Item 101)
-
Legal proceedings (e.g., Regulation S-K, Item 103)
-
Financial statement disclosures (e.g., Regulation S-X)
What’s SEC’s Advice in 2018?
SEC characterizes the new Guidance as reinforcing and expanding its 2011 Guidance. In particular, SEC is adding two additional elements:
-
Focus on the importance of maintaining comprehensive policies and procedures related to cybersecurity
-
Attention to insider trading risks, if directors and officers trade knowing about material undisclosed (“nonpublic”) cybersecurity-related risks or incidents
SEC has also reaffirmed the disclosure rules that require public companies to address material cybersecurity risks:
-
General reporting requirements – periodic reports (those referenced in SEC’s 2011 Guidance); registration statements under the 1933 and 1934 Acts; current reports (Form 8-K or 6-K; these are used to report late-breaking events)
-
Other material reporting provisions – those referenced in SEC’s 2011 Guidance, plus statement of the board of directors’ risk oversight (Regulation S-K, Item 407)
-
Policies and procedures – comprehensive disclosure controls and procedures, protections against insider trading, and prevention of selective disclosures (i.e., Regulation F-D).
Self-Assessment Checklist
Has the organization addresses cybersecurity risks to its activities and operations?
-
Has it established preventive measures?
-
Has it established oversight, policies and procedures?
-
Has it suffered any cybersecurity breaches, and if so what resulted?
Is the organization registered on a national securities exchange, subject to public company reporting requirements administered and enforced by SEC?
- If so, has it reported any “material” cybersecurity risk issues?
Where Do I Go For More Information?
Information available via the Internet includes:
-
SEC “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (2/21/18)
-
SEC “CF Disclosure Guidance: Topic Number 2 Cybersecurity” (10/13/11)
Specialty Technical Publishers (STP) provides a variety of single-law and multi-law services, intended to facilitate clients’ understanding of and compliance with requirements. These include:
About the Author
Jon Elliott is President of Touchstone Environmental and has been a major contributor to STP’s product range for over 25 years. He was involved in developing 13 existing products, including Environmental Compliance: A Simplified National Guide and The Complete Guide to Environmental Law.
Mr. Elliott has a diverse educational background. In addition to his Juris Doctor (University of California, Boalt Hall School of Law, 1981), he holds a Master of Public Policy (Goldman School of Public Policy [GSPP], UC Berkeley, 1980), and a Bachelor of Science in Mechanical Engineering (Princeton University, 1977).
Mr. Elliott is active in professional and community organizations. In addition, he is a past chairman of the Board of Directors of the GSPP Alumni Association, and past member of the Executive Committee of the State Bar of California's Environmental Law Section (including past chair of its Legislative Committee).
You may contact Mr. Elliott directly at: tei@ix.netcom.com