SEC Guidance On Cybersecurity Disclosure
Posted by Laura Anthony, Esq. on March 29, 2018
SEC Guidance On Cybersecurity Disclosure- On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.
The new guidance begins with an introduction describing the importance of cybersecurity in today’s business world, driving the point home by comparing it to the importance of electricity. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption.
Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.
The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”
When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:
• Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
• Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
• Lost revenues from unauthorized use of proprietary information and lost customers;
• Increased insurance premiums;
• Damage to the company’s competitiveness, stock price and long-term shareholder value; and
• Reputational damage.
Whereas the 2011 disclosure guidance was conservative in its tone, trying to strike a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent, the new guidance is more blunt in the critical need to inform investors about material cybersecurity risks and incidents when they occur.
A company’s ability to timely and properly make any required disclosure of cybersecurity risks and incidents requires the company to implement and maintain disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.
The guidance also stresses that the SEC expects public company officers, directors and other insiders to respect the importance and materiality of cybersecurity risk and incident knowledge and not trade a company’s security when in possession of non-public information related to cybersecurity matters. In that regard, companies should include cybersecurity matters in their insider trading policies and procedures. These insider trading policies should (i) guard against trading in the period between when a company learns of a cybersecurity incident and the time it is made public; and (ii) require the timely disclosure of such non-public information.