The Securities and Exchange Commission (SEC) issued interpretive Release No. 33-10459 Commission Statement and Guidance on Public Company Cybersecurity Disclosures to assist public companies in preparing disclosures about cybersecurity risks and incidents. The interpretive release builds upon guidance issued in 2011 by the SEC’s Division of Corporation Finance (CF Disclosure Guidance: Topic No. 2) by addressing two topics not developed in the staff’s 2011 guidance, including the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
The SEC acknowledges that many companies have provided cybersecurity disclosures under CF Disclosure Guidance; although primarily as part of the discussion on risk factors; however, the SEC believes that due to the increasing cost, significance, and frequency of cybersecurity incidents, further guidance was necessary.
Following are the main points in the SEC’s interpretive release:
General Disclosure Guidance
Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosures. The materiality of cybersecurity risks or incidents depends on their nature, extent, and potential magnitude. Materiality of cybersecurity risks and incidents also depends on the range of harm that incidents may cause, including harm to a company’s reputation, financial performance, and customer and vendor relationships.
Timing of Disclosure
Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, the SEC would expect the company to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk. The SEC also notes that an ongoing internal or external investigation - which can often be lengthy - would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.
Specific Disclosure Guidance
In evaluating cybersecurity risk factor disclosures, the SEC advises companies to consider the following issues:
- The occurrence of prior cybersecurity incidents, including their severity and frequency.
- The probability of the occurrence, and potential magnitude, of cybersecurity incidents.
- The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, the limits of the company’s ability to prevent or mitigate certain cybersecurity risks.
- The aspects of the company’s business and operations that give rise to material cybersecurity risks, and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service-provider risks.
- The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers.
- The potential for reputational harm.
- Existing or pending laws and regulations that may affect the requirements to which the company is subject relating to cybersecurity and the associated costs to companies.
- Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
The SEC also advises that in meeting these SEC disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.
The SEC also provided guidance on specific cybersecurity disclosures related to the following:
- MD&A - Item 303 of Regulation S-K and Item 5 of Form 20-F
- Description of Business - Item 101 of Regulation S-K and Item 4.B of Form 20-F
- Legal Proceedings - Item 103 of Regulation S-K
- Financial Statement Disclosures
- Board Risk Oversight - Item 407(h) of Regulation S-K and Item 7 of Schedule 14A
Disclosure Controls and Procedures
The SEC notes that cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. In its interpretive release, the SEC encourages companies to adopt comprehensive policies and procedures relating to cybersecurity and to assess their compliance regularly.
Companies are encouraged to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material non-public information relating to cybersecurity risks and incidents. In addition, while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.
We encourage companies to take a fresh look at their cybersecurity disclosures in consideration of this guidance released by the SEC. For more information, contact Schneider Downs or visit the Our Thoughts On blog.