iThe Securities and Exchange Commission (“SEC”) released expansive interpretive guidance (“2018 Guidance”), posted February 21, 2018, further building upon its far-reaching cybersecurity guidance provided in 2011. Below are four key takeaways that will be essential in complying with federal securities laws going forward.
1. The SEC recognizes that effective cybersecurity has never been more important to capital markets and our country.
On the heels of the Equifax breach, it comes as no surprise that the SEC recognizes that “[c]ybersecurity risks pose grave threats to investors, our capital markets, and our country” and that the “importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”[1]
The SEC understands that a lack of cybersecurity and the cybersecurity incidents this creates will lead to destruction of shareholder value, and it is serious about using its authority to reduce this risk. By reminding companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws,” the SEC has made it clear that compliance needs to start at the policy and procedure level, not when an adverse material cybersecurity event occurs.[2]
2. Adequate cybersecurity controls are required to comply with mandatory disclosures of material cybersecurity incidents under federal securities laws and prevent insider trading based on material nonpublic information.
The SEC continues to reinforce that federal securities laws require (a) mandatory disclosures of material cybersecurity events and (b) that companies have a duty to prevent insider trading, which includes trades made on material nonpublic information involving cybersecurity incidents.
Compliance will not be possible without effective underlying controls that are in place and being executed before a material cybersecurity event occurs. Per the SEC:
Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.[3]
Implementing such controls will require cooperation between information technology, finance, operations, and those managing risk generally on an ongoing basis. Siloed compliance functions will not suffice.
Further building upon this effort, companies must create and execute a set of controls that reduce risk of insider trading-based cybersecurity incidents by “guard[ing] against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident.”[4] Interested parties should keep in mind that any such controls to prevent insider trading can only be as effective as the initial set of controls used to determine what incidents are material in the first place.
3. Companies can use provided SEC factors to assist with determining what is material. Generally speaking, the more damaging, expensive, and problematic a cybersecurity incident is, the more likely it is to be material.
The SEC has provided expanded guidance on which cybersecurity incidents will be considered material. Companies should analyze a given cybersecurity incident using the SEC provided factors below:
a. Remediation costs, including “liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack;”
b. Increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
c. Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
d. Litigation and legal risks, including regulatory actions by state and federal agencies;
e. Increased insurance premiums;
f. Reputational damage; and
g. Damage to the company’s competitiveness, stock price, and long-term shareholder value.[5]
While the analysis will depend on the specific cybersecurity incident at hand, companies can be assured that the greater the expense, damage, and risks created by the incident, the more likely it is to be considered material. The use of these factors, and the prophylactic documentation of a materiality determination at the company level, will depend on the preexisting adequate cybersecurity controls discussed in the previous section.
4. Companies should focus on disclosing information that will allow investors to appreciate why a security incident is material. Companies do not need to disclose technical information that could put their cybersecurity at risk, however, nor will the SEC accept an internal or external investigation without more, as a reason for delaying a material cybersecurity disclosure.
What do companies need to disclose for an effective disclosure of a material cybersecurity incident? Companies should focus on informing investors in a way that allows investors to appreciate the risk in light of the factor-based framework in the previous section. Companies do not need to disclose technical information that could provide a “roadmap” to a would-be attacker. The SEC recognizes such detailed technical information would be unlikely to help investors appreciate investment risk and could put companies at further risk.
However, companies that seek to delay a material disclosure should be careful as “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”[6] This means that law enforcement investigations may not serve as a means to delay disclosure, especially where a material disclosure could be made without revealing sensitive technical details.
5. Companies have a duty to update their disclosures regarding material cybersecurity incidents as the result of ongoing investigations.
The SEC reminded companies that they must update disclosures that become materially inaccurate, including when the statement is still being relied upon by reasonable investors. For example, a later investigation may reveal additional material facts, or reveal that certain disclosures provided were based on incomplete conclusions.
