December 1, 2021

Volume XI, Number 335


November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis

SEC Releases Guidance on Cybersecurity Disclosures

In light of the increasing significance of cybersecurity incidents, and their potential impact on a company's operations, on February 21, the Securities and Exchange Commission (SEC) issued guidance to public reporting companies regarding disclosure obligations related to cybersecurity risks. This new guidance applies to disclosures in registration statements and periodic and current reports filed under the Securities Act of 1933 and the Securities Exchange Act of 1934, and supplements the Division of Corporation Finance's October 2011 report related to cybersecurity risks and incidents.

The 2018 guidance focuses on two aspects of securities laws—an overview of rules requiring disclosure of cybersecurity issues and a reminder to companies and their directors, officers and other corporate insiders of applicable insider trading and selective disclosure prohibitions.

Disclosure Obligations

Any material cybersecurity risks and incidents must be disclosed in the appropriate registration statement, periodic report or current report. When determining materiality of an incident or risk, companies should consider: the importance of the compromised information; the impact on the company's operations; the range of harm caused by the exposure, including reputational damage, financial performance, effect on customer relationships; and possibility of litigation or regulatory investigations or actions. Once a company becomes aware of a cybersecurity risk or incident, it should provide disclosure in a timely manner. Additionally, during the course of a cybersecurity investigation, if it becomes known that any prior disclosure was or has become materially inaccurate, such disclosure must be corrected and updated.

The 2018 guidance focuses on the following disclosure items:

  • Risk Factors, such as:

    • prior cybersecurity incidents, including severity and frequency;

    • probability of occurrence and potential magnitude of cybersecurity incidents;

    • adequacy of preventative actions taken to reduce cybersecurity risks and associated costs, including limits of the company's ability to mitigate or prevent certain threats;

    • aspects of the company's business and operations that give rise to material cybersecurity risks and potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service-provider risks;

    • costs associated with maintaining cybersecurity protections, including insurance coverage related to cybersecurity incidents or payments to service providers;

    • potential for reputational harm;

    • existing or pending laws and regulations that may affect any cybersecurity requirements the company is subject to and any associated costs; and

    • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

  • MD&A: A company’s analysis should take into account any costs of ongoing cybersecurity efforts, any costs and other consequences of cybersecurity incidents, and any risks of potential cybersecurity incidents. The impact of any cybersecurity incidents must be considered for each reportable segment.

  • Business Description: Companies should provide appropriate disclosure where cybersecurity incidents or risks will materially affect products, services, or customer or supplier relationships.

  • Legal Proceedings: Companies should disclose any material legal proceedings related to cybersecurity issues.

  • Financial Statements: A company should disclose the range and magnitude of a cybersecurity incident in its financial statements on a timely basis, including any: expenses related to investigation, breach notification, remediation, and litigation, including costs of legal and other professional services; loss of revenue, providing customers with incentives, or a loss of customer relationship asset value; claims related to warranty, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and diminished future cash flows, impairment of intellectual, intangible or other assets, recognition of liabilities, or increased financial costs.

  • Board Oversight of Risk: The guidance focuses on the requirement to disclose the extent of the Board of Directors' oversight role in the company's internal and external risk assessment and management.

In addition, the 2018 guidance recommends assessment of the company's disclosure controls and procedures as they relate to cybersecurity and the need to continually assess any changes or updates to such procedures.

Insider Trading and Selective Disclosure Prohibitions

The 2018 guidance reminds companies about the prohibition on insider trading by directors, officers and other corporate insiders while in possession of material non-public information related to cybersecurity risks and incidents. As part of a response to a cybersecurity incident, it may be prudent for the company to take steps to ensure that insiders are not trading based on knowledge of a cybersecurity incident, and that compliance personnel responsible for administering a company's stock purchase/sale program is fully aware of the cybersecurity incident and its potential impact on trades by company insiders. In addition, companies should always be mindful of the obligation not to selectively disclose cybersecurity risks and incidents to Regulation FD enumerated persons before such information is publicly disclosed.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VIII, Number 57

About this Author

Mary J. Mullany Partner

Mary J. Mullany concentrates her practice in the areas of securities offerings, mergers and acquisitions, corporate financing (public and private), executive compensation, corporate governance, pharmaceutical and life sciences licensing and collaborations, general corporate law, business counseling, and health care law. Her client base includes large, multinational public companies; public and private middle-market companies in a variety of industries; nonprofit organizations; and start-up entities.

Mary has worked most recently on sophisticated merger and acquisition transactions...

Alice Huang, Ballard Spahr Law Firm, Philadelphia, Corporate and Healthcare Law Attorney

Alice Huang is a transactional attorney who counsels publicly-traded and privately-held companies on mergers and acquisitions, financing transactions, securities matters, corporate governance, and general contract matters. She also advises clients in the health care sector on a number of regulatory issues, including HIPAA compliance, the Anti-Kickback Statute, and the STARK Law. Alice was a summer associate at Ballard Spahr in 2014 and 2015. Prior to joining the firm, she worked for early stage start-ups in the software industry.