New Guidance Mandates Greater Attention to Cybersecurity Planning
The SEC’s recently issued guidance is just the latest indication that government regulators want companies to improve both their overall cybersecurity and incident response and notification procedures. Businesses must adopt and maintain the types of systems and procedures described in the guidance or else face the potential legal, financial and reputational fallout of a data breach.
with co-author William H. Berglund
In the wake of recent notable data breaches, the United States Securities and Exchange Commission issued an interpretive release in late February designed to improve the timeliness and accuracy of public companies’ disclosures of cybersecurity risks and incidents and prevent insider trading. An “incident” for purposes of the guidance is a broader term than “breach” and includes an “occurrence that actually or potentially results in adverse consequences to” a company’s information system. As discussed below, the SEC’s guidance (“Guidance”) underscores concerns that all companies, regardless of size and ownership, need to take seriously to improve their cybersecurity planning and legal compliance.
The SEC’s Guidance
Disclosing Cybersecurity Risks and Incidents
The Guidance follows up on 2011 guidance from the Division of Corporation Finance that acknowledged that while federal securities disclosure requirements do not explicitly refer to cybersecurity risks and incidents, companies may be obligated to disclose them. Many companies responded to that guidance by including additional cybersecurity disclosures in their reporting, primarily in the form of risk factors. The Guidance “reinforces and expands” on the 2011 guidance by providing more detail as to the form, breadth and timing of those disclosures.
The Guidance refers to a number of disclosure requirements that may obligate a company to disclose cybersecurity risks and incidents “depending on a company’s particular circumstances,” including periodic reports such as a Form 10-K, registration statements and current reports such as a Form 8-K or Form 6-K. A company’s obligation to disclose and the information required to be disclosed is assessed under the materiality standard. Companies are to weigh “the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” Materiality analysis is fact-dependent and is based on the “nature, extent and potential magnitude” of the risk or incident, particularly as it relates to the level of sensitivity and scope of the information compromised.
Companies should also consider the range of harm that flows from the incident, including reputational and financial performance harm, damage to relationships with customers and vendors and the risk of both civil litigation and government regulatory enforcement against the company. Importantly, the SEC notes that companies must provide sufficient detailed information about risks and incidents to investors and must avoid generic, boilerplate language. That said, the SEC does not intend for a company’s disclosures to “compromise its cybersecurity efforts” by providing “specific, technical information about” its systems, networks and devices and potential vulnerabilities that would provide hackers or others with a “roadmap” for an attack.
Maintaining More Robust Cybersecurity Policies and Procedures and Precautions Against Insider Trading
Breaking new ground, the Guidance specifically encourages companies “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly.” While these should include specific disclosure controls and procedures related to cybersecurity disclosure, the guidance speaks in much broader and more holistic terms, encouraging companies to adopt a comprehensive plan to ensure that they are managing their enterprise-wide cybersecurity risks. This plan should include controls and procedures that enable companies to identify their risks and vulnerabilities, assess and evaluate their business impact and significance, allow for necessary communications between technical experts and disclosure advisors, advise company decision-makers (including the board) and make timely and accurate disclosures. Ultimately, the goal is for companies to be more proactive in addressing today’s threat landscape and properly advising their investors and the public of risks and incidents in a timely fashion.
Also new in the Guidance is specific direction that public companies must abide by insider trading prohibitions in the cybersecurity context. As the Guidance notes: “directors, officers and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which many include knowledge regarding a significant cybersecurity incident experienced by the company.” To guard against this, companies should adopt and maintain policies and procedures to guard against an individual taking advantage of material nonpublic information known about a breach or incident to trade the company’s securities before the public is notified. Not only will such measures mitigate the legal risks associated with insider trading, but they will also guard against the risk of reputational harm that has been associated with the recent breaches.
The Guidance is just the latest indication that government regulators want companies to improve both their overall cybersecurity and incident response and notification procedures. Public and private companies should use this as an opportunity to assess their current systems and procedures to ensure that they are addressing cybersecurity risks and that they are ready to respond to security incidents and promptly provide the required notifications and disclosures. Companies should consider taking the following additional steps to address the issues raised in the Guidance:
- All companies should examine their current incident response preparation. Do you have a written incident response plan? If so, consider whether it should be updated to reflect your current business environment, the latest breach notification legal requirements and the SEC’s disclosures guidance and any other reporting obligations to your customers. Also, evaluate whether the members of your response team and other key company stakeholders have been trained on the plan. Conducting a tabletop exercise to practice the company’s response to real-world scenarios is also recommended.
- All companies should also evaluate their overall cybersecurity plan to ensure they have sufficient controls and procedures in place to mitigate against security risks and to promote the timely and accurate disclosure of cybersecurity risks and incidents.
- Public companies need to incorporate the Guidance into their future disclosures of cybersecurity risks and incidents. This includes the materiality and harm analyses and the amount of detail provided in the disclosures. The Guidance also raises the issue of previous cybersecurity disclosures. Companies should evaluate whether their previous disclosures are sufficiently detailed and not cookie cutter.
- Public companies should also examine and, if necessary, update their insider trading policies to account for the Guidance’s express prohibitions related to data breaches and other security incidents.
In today’s environment, companies must adopt and maintain the types of systems and procedures described in the Guidance or face the potential legal, financial and reputational fallout of a data breach.
 U.S. Securities and Exchange Commission, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8166, p.6 (Feb. 26, 2018); SEC Chairman Jay Clayton, Statement on Cybersecurity Interpretative Guidance, Feb. 21, 2018, available at https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21 (retrieved Mar. 29, 2018).
 Securities and Exchange Commission, Division of Corporate Financing, CF Disclosure Guidance: Topic No. 2-Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (retrieved Mar 29, 2018)