August 3, 2021

Volume XI, Number 215


August 02, 2021

Subscribe to Latest Legal News and Analysis

SEC Cybersecurity Guidance: Key Takeaways for Your Business

The U.S. Securities and Exchange Commission (“SEC”) recently released interpretive guidance regarding issues and risks related to cybersecurity for the first time since 2011. The guidance, released February 21, comes on the heels of a series of public statements from the SEC relating to the adequacy of disclosures concerning cybersecurity, as well as a number of well-publicized incidents where insider trading has occurred after the occurrence, but prior to the disclosure, of a significant cybersecurity incident.

Critical action items emanating from the SEC guidance include:

  • Conduct a periodic enterprise security risk assessment either annually or such other time period (e.g. bi-annually or every three years) as needed for your company and industry.

  • Consider whether the impact of cybersecurity risks, incidents, and related compliance and remediation costs are material such that they should be addressed in disclosures beyond just the risk factors.

  • Draft risk factors to include all aspects of cybersecurity ranging from occurrence of incidents to existing costs associated with protecting against risks. Avoid generic, catch-all risk factors.

  • Review and enhance disclosure controls and procedures to ensure that appropriate members of senior management are informed of cybersecurity incidents.

  • Review previously filed disclosures under the lens of the ongoing duties to correct and update them based on your company’s experience with cybersecurity issues.

Issues to Consider in Drafting Cybersecurity Risk Factors

The SEC appears to be taking a dim view of many companies’ risk factor disclosures around cybersecurity. To better inform and protect investors, the SEC offered eight criteria for companies to evaluate in crafting cybersecurity risk factor disclosure:

  1. The occurrence of prior cybersecurity incidents, including their severity and frequency.

  2. The probability of the occurrence and potential magnitude of cybersecurity incidents.

  3. The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks.

  4. The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks.

  5. The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers.

  6. The potential for reputational harm.

  7. Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies.

  8. Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

Cybersecurity-related Disclosures May Be Needed Beyond Risk Factors

The SEC reminded companies that while SEC disclosure rules do not expressly refer to cybersecurity risks and incidents, companies have a general obligation to disclose in their registration statements and periodic filings all material facts required to be stated in such filings to make the filings not misleading. To that end, companies should consider the materiality of cybersecurity risks and incidents, and disclose cybersecurity issues that may be viewed as material to investors, including the financial, legal or reputational consequences of any incidents.

Thus, the updated guidance noted that such disclosures may be warranted for certain companies in their business sections as well as in the legal proceedings and financial statement footnote disclosures, among other potentially applicable disclosures. For example, if cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure in accordance with Item 101 of Regulation S-K. Companies should also disclose information relating to any material legal proceedings to which they or their subsidiaries are a party, including any such proceedings that relate to cybersecurity per Item 103 of Regulation S-K. Companies should be mindful that cybersecurity incidents may result in expenses related to investigation, loss of revenue, claims related to warranties of breach of contract, or impairment of assets, all of which may need to be disclosed in the notes to financial statements.

Disclosure Controls & Procedures Insider Trading

Further, the guidance encouraged companies to ensure the sufficiency of their disclosure controls and procedures as they relate to cybersecurity issues and related disclosures. In particular, the SEC noted the importance of establishing procedures that would have the effect of treating cybersecurity incidents like any other potentially material development, and enabling the appropriate internal teams to determine whether to impose trading blackouts on insiders while investigation or assessment of a cybersecurity issue or risk is pending, or prior to the public disclosure of the same.

The Ongoing Duties to Correct & Update Existing Disclosures

Finally, the SEC’s guidance included a reminder of the ongoing duties to update and correct prior disclosures, including those surrounding cybersecurity issues. For example, if a company states that it is not aware of any cybersecurity breaches, but subsequently discovers contradictory information that existed at the time the initial disclosure was made, the company has a duty to correct the disclosure. Companies should also be mindful of updating existing disclosures to account for information that may have changed over time. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VIII, Number 54

About this Author

Ruben Chuquimia, Polsinelli Law Firm, St. Louis, Corporate and Securities Law Attorney

Ruben K. Chuquimia's practice includes a broad range of corporate, securities, and transactional work, with extensive experience in the following areas:

  • Mergers, acquisitions, divestitures, takeovers (negotiated and contested), and cross-border transactions

  • Public/private equity and debt offerings

  • Securities compliance, disclosure matters, and other counseling for companies with publicly traded securities

  • Counseling boards of...

Matthew C. Cooper, Polsinelli Law Firm, Washington DC, Securities and Corporate Law Attorney

As an associate in the Securities and Corporate Finance practice, Matt Cooper understands the opportunities and challenges companies face as they navigate their businesses through today’s economy. Whether a client is ramping up its operations or is listed on the New York Stock Exchange, Matt recognizes that today’s corporate clients demand high-quality, sophisticated legal representation.

Matt is committed to understanding clients’ larger strategic business objectives, as well as delivering timely, pragmatic advice that is tailored to their...

Kevin L. Vold, Polsinelli, Aerospace Defense Industry Lawyer, Corporate Finance Attorney
Shareholder, Securities and Corporate Finance Chair

Kevin Vold is an experienced corporate finance and securities lawyer. During 20 years of practice, Kevin has served as the lead attorney advising on corporate, securities and finance matters to clients in diverse industries, including real estate; hospitality and gaming; telecommunications, media and technology; aerospace and defense; biotechnology; energy; retail; and specialty finance and banking.

Chair of Polsinelli's Securities & Corporate Finance practice, Kevin represents issuers and underwriters in the full gamut of equity and debt...

Greg Kratofil, Jr. Technology Transactions & Data Privacy Attorney at Polsinelli Law Firm Kansas City
Shareholder | Practice Chair

Technology touches everything and Greg Kratofil, Jr. believes innovation is the key to our future.  Greg chairs the firm’s Technology Transactions & Data Privacy practice group and leads a team of attorneys that couple practical experience and backgrounds with the in-depth legal analysis and counsel required in today’s fast-paced world.  Greg has sharpened his skills working with a wide variety of cutting –edge solutions and services and is a recognized leader in the health care technology and information security industries.

Greg handles technology and...