No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

The SEC’s Latest on Disclosures

by Tod Northman
April 17, 2018
in Data Privacy, Featured
illuminated padlock on laptop screen

New Guidance Mandates Greater Attention to Cybersecurity Planning

The SEC’s recently issued guidance is just the latest indication that government regulators want companies to improve both their overall cybersecurity and incident response and notification procedures. Businesses must adopt and maintain the types of systems and procedures described in the guidance or else face the potential legal, financial and reputational fallout of a data breach.

with co-author William H. Berglund

In the wake of recent notable data breaches, the United States Securities and Exchange Commission issued an interpretive release in late February designed to improve the timeliness and accuracy of public companies’ disclosures of cybersecurity risks and incidents and prevent insider trading.[1] An “incident” for purposes of the guidance is a broader term than “breach” and includes an “occurrence that actually or potentially results in adverse consequences to” a company’s information system. As discussed below, the SEC’s guidance (“Guidance”) underscores concerns that all companies, regardless of size and ownership, need to take seriously to improve their cybersecurity planning and legal compliance.

The SEC’s Guidance

Disclosing Cybersecurity Risks and Incidents

The Guidance follows up on 2011 guidance from the Division of Corporation Finance[2] that acknowledged that while federal securities disclosure requirements do not explicitly refer to cybersecurity risks and incidents, companies may be obligated to disclose them. Many companies responded to that guidance by including additional cybersecurity disclosures in their reporting, primarily in the form of risk factors. The Guidance “reinforces and expands” on the 2011 guidance by providing more detail as to the form, breadth and timing of those disclosures.

The Guidance refers to a number of disclosure requirements that may obligate a company to disclose cybersecurity risks and incidents “depending on a company’s particular circumstances,” including periodic reports such as a Form 10-K, registration statements and current reports such as a Form 8-K or Form 6-K. A company’s obligation to disclose and the information required to be disclosed is assessed under the materiality standard. Companies are to weigh “the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” Materiality analysis is fact-dependent and is based on the “nature, extent and potential magnitude” of the risk or incident, particularly as it relates to the level of sensitivity and scope of the information compromised.

Companies should also consider the range of harm that flows from the incident, including reputational and financial performance harm, damage to relationships with customers and vendors and the risk of both civil litigation and government regulatory enforcement against the company. Importantly, the SEC notes that companies must provide sufficient detailed information about risks and incidents to investors and must avoid generic, boilerplate language. That said, the SEC does not intend for a company’s disclosures to “compromise its cybersecurity efforts” by providing “specific, technical information about” its systems, networks and devices and potential vulnerabilities that would provide hackers or others with a “roadmap” for an attack.

Maintaining More Robust Cybersecurity Policies and Procedures and Precautions Against Insider Trading

Breaking new ground, the Guidance specifically encourages companies “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly.” While these should include specific disclosure controls and procedures related to cybersecurity disclosure, the guidance speaks in much broader and more holistic terms, encouraging companies to adopt a comprehensive plan to ensure that they are managing their enterprise-wide cybersecurity risks. This plan should include controls and procedures that enable companies to identify their risks and vulnerabilities, assess and evaluate their business impact and significance, allow for necessary communications between technical experts and disclosure advisors, advise company decision-makers (including the board) and make timely and accurate disclosures. Ultimately, the goal is for companies to be more proactive in addressing today’s threat landscape and properly advising their investors and the public of risks and incidents in a timely fashion.

Also new in the Guidance is specific direction that public companies must abide by insider trading prohibitions in the cybersecurity context. As the Guidance notes: “directors, officers and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which many include knowledge regarding a significant cybersecurity incident experienced by the company.” To guard against this, companies should adopt and maintain policies and procedures to guard against an individual taking advantage of material nonpublic information known about a breach or incident to trade the company’s securities before the public is notified. Not only will such measures mitigate the legal risks associated with insider trading, but they will also guard against the risk of reputational harm that has been associated with the recent breaches.

Takeaways

The Guidance is just the latest indication that government regulators want companies to improve both their overall cybersecurity and incident response and notification procedures. Public and private companies should use this as an opportunity to assess their current systems and procedures to ensure that they are addressing cybersecurity risks and that they are ready to respond to security incidents and promptly provide the required notifications and disclosures. Companies should consider taking the following additional steps to address the issues raised in the Guidance:

  • All companies should examine their current incident response preparation. Do you have a written incident response plan? If so, consider whether it should be updated to reflect your current business environment, the latest breach notification legal requirements and the SEC’s disclosures guidance and any other reporting obligations to your customers. Also, evaluate whether the members of your response team and other key company stakeholders have been trained on the plan. Conducting a tabletop exercise to practice the company’s response to real-world scenarios is also recommended.
  • All companies should also evaluate their overall cybersecurity plan to ensure they have sufficient controls and procedures in place to mitigate against security risks and to promote the timely and accurate disclosure of cybersecurity risks and incidents.
  • Public companies need to incorporate the Guidance into their future disclosures of cybersecurity risks and incidents. This includes the materiality and harm analyses and the amount of detail provided in the disclosures. The Guidance also raises the issue of previous cybersecurity disclosures. Companies should evaluate whether their previous disclosures are sufficiently detailed and not cookie cutter.
  • Public companies should also examine and, if necessary, update their insider trading policies to account for the Guidance’s express prohibitions related to data breaches and other security incidents.

In today’s environment, companies must adopt and maintain the types of systems and procedures described in the Guidance or face the potential legal, financial and reputational fallout of a data breach.

[1] U.S. Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8166, p.6 (Feb. 26, 2018); SEC Chairman Jay Clayton, Statement on Cybersecurity Interpretative Guidance, Feb. 21, 2018, available at https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21 (retrieved Mar. 29, 2018).

[2] Securities and Exchange Commission, Division of Corporate Financing, CF Disclosure Guidance: Topic No. 2-Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (retrieved Mar 29, 2018)


Tags: Data BreachSEC
Previous Post

Key Challenges for CECOs

Next Post

40 Percent of all Account Access Attempts are High-Risk, Says NuData Security

Tod Northman

Tod Northman

Tod NorthmanTod A. Northman is a Partner in the corporate group at Tucker Ellis LLP. He counsels clients of all sizes in a variety of industries, with a particular focus in the areas of aviation, autonomous vehicles and antitrust matters. He can be reached at 216.696.5469 or tod.northman@tuckerellis.com.

Related Posts

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

esg sec clawback confusion

Unpacking the SEC’s Executive Compensation Clawback Rule

by John Peiserich
January 4, 2023

The SEC has finalized its long-awaited clawback policy mandated by the Dodd-Frank Act, issuing final rules that are scheduled to...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

Next Post
40 Percent of all Account Access Attempts are High-Risk, Says NuData Security

40 Percent of all Account Access Attempts are High-Risk, Says NuData Security

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT