SEC Issued New Guidance On Cybersecurity Risks and Incidents
Posted by Laura Anthony, Esq. on April 05, 2018
SEC Issued New Guidance On Cybersecurity Risks and Incident- On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.
Public companies have many disclosure requirements, including through periodic reports on Forms 10-K, 10-Q and 8-K, through Securities Act registration statements such as on Forms S-1 and S-3 and generally through the antifraud provisions of both the Exchange Act and Securities Act, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
As with all disclosure requirements, the disclosure of cybersecurity risk and incidents requires a materiality analysis. Although there continues to be no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings, disclosure controls and procedures, corporate governance and financial statements. As with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.
A company has two levels of cybersecurity disclosure to consider. The first is its controls and procedures and corporate governance to both address cybersecurity matters themselves and to address the timely and thorough reporting of same. The second is the reporting of actual incidents. In determining the materiality of a particular cybersecurity incident, a company should consider (i) the importance of any compromised information; (ii) the impact of an incident on company operations; (iii) the nature, extent and potential magnitude of the event; and (iv) the range of harm such incident can cause, including to reputation, financial performance, customer and vendor relationships, litigation or regulatory investigations.
Of course, the new guidance is also clear that a company would not need to disclose the depth of information that could, in and of itself, provide information necessary to breach cyber-defenses. A company would not need to disclose specific technical information about cybersecurity systems, related networks or devices or specific devices and networks that may be more susceptible to attack due to weaker systems.
The new guidance also reminds companies that they have a duty to correct prior disclosures that the company determines were untrue at the time material information was made or omitted, and to update disclosures that become inaccurate after the fact.
Like the prior guidance, the new guidance provides specific input into areas of disclosure which I will discuss in the next LawCast in this series.