As companies increasingly rely on networked systems and on the Internet, cybersecurity threats have grown. Companies that fall victim to a successful cyberattack incur substantial costs for remediation, including increased costs for cyber protection, lost revenues, legal costs and more. All of these costs can impact the riskiness and value of a public company’s stock.
Given the frequency, magnitude and cost of cybersecurity incidents, the Securities and Exchange Commission (SEC) has stated that it is “crucial for public companies to inform investors about relevant cybersecurity risks and incidents in a timely fashion.”
In February of 2018, the SEC issued a Commission Statement and Guidance that spelled out principles that public companies should follow in making disclosures about cybersecurity dangers and attacks. This guidance expands on a previous SEC staff guidance released in 2011 and addresses two new topics:
1. Cybersecurity disclosure policies.
2. The application of insider trading prohibitions in a cybersecurity context.
The following are the five key issues the SEC outlines in the guidance. Note that this discussion is for information only. For personalized compliance recommendations, please consult a lawyer.
One of the highlights of the 2018 guidance is the issue of materiality. In the past, when companies filed disclosures required by the Securities Act of 1933 and the Securities Exchange Act of 1934, they may have disclosed cybersecurity risks and incidents on a periodic basis or when issues became “material”—significant enough to disclose—delaying disclosure when an incident was still under investigation.
The 2018 guidance lowers the threshold for disclosure. Companies should now disclose “known trends and uncertainties,” says Brian V. Breheny, a partner who heads the SEC Reporting and Compliance Practice at Skadden, Arps, Slate, Meagher & Flom LLP. “If something is reasonably likely to result in a material impact on the company, you should give investors an early warning.”
In determining what is material, the guidance suggests that companies consider the nature, extent and potential magnitude of the event and the harm such incidents could cause. Companies should disclose enough information so that statements are not misleading and correct prior disclosures that later prove to be untrue. On the other hand, the SEC does not intend companies to make disclosures detailed enough to compromise their cybersecurity efforts.
2. Types of security risks that must be disclosed
Item 503 (c) of Regulation S-K (of US Securities Act of 1933) and Item 3.D of Form 20-F (which must be submitted by “foreign private investors”) require companies to disclose the most significant factors that make investments in their securities speculative or risky. The new guidance recommends that companies include cybersecurity risks and incidents in these disclosures. The SEC advises companies to avoid generic disclosures and tailor them to their particular cybersecurity risks and incidents.
When David J. Lavan, Partner at Dinsmore & Shohl LLP and former special counsel in the Division of Corporate Finance at the SEC, works with clients, some key risk factors he considers include:
- What industry is the company in? Some industries are subject to more cybersecurity threats than others. Finance, healthcare, retail and utilities are far more likely to be attacked than construction, for example.
- Has the company had any cyber-related incidents? What type of incidents have they had?
- About whom do they have data? Customers? Employees? Agents? Deposit holders? Policy holders?
- What information does the company store or transmit? Personally identifiable information? Healthcare info? Proprietary info? Info in the public domain?
- What regulations is the company required to comply with? NYDFS? GDPR? California’s Consumer Privacy Act?
- Is there anything in the contract with the company hosting the client’s data or providing cloud services that might impact other companies storing information in that facility?
- Does the company have business recovery procedures in place?
- Does the company have insurance? How does this affect the company’s ability to recover from a cybersecurity incident? Disclosing this in the 10K helps investors understand who is responsible for cyber-related operational risk.
- Does the board understand its disclosure responsibility?
- Does the company understand how to perform cyber-related risk reporting? Can they report fast enough for the risks to be considered properly by the company’s disclosure committee.
- Are the security risks changing? Has there been an uptick in clients getting pinged even if no one’s getting through?
Disclosure policies and procedures
The Guidance encourages companies to adopt comprehensive cybersecurity policies and procedures and regularly assess their sufficiency and compliance. The assessment should include the efficiency of the company’s disclosure controls and procedures related to cybersecurity risk.
Explains N. Peter Rasmussen, Senior Legal Analyst, at Bloomberg Law, “Cybersecurity incident teams should be well coordinated with disclosure compliance and other non-IT professionals within the company. Disclosure controls and procedures should ensure that relevant information about cybersecurity risk is collected and documented in a timely fashion and that it is reported to the appropriate personnel to assess its materiality.”
“Companies are under cyberattack all the time. Whether these ongoing risks become material and whether they need to be disclosed are different questions,” explains Breheny. “The issue is whether individuals involved in cybersecurity are elevating issues that come up quickly enough and to the right people to determine whether something needs to be disclosed.”
The company’s CEO and CFO must certify the controls. If the company’s controls and procedures fail to ensure that information about a cyber incident is properly raised for timely disclosure, and the company made the certifications anyway, the CEO and CFO could be at risk for enforcement action.
Role of officers and the board
Item 407(h) of Regulation S-K and Item 7 of Schedule 14A requires companies to disclose the board of directors’ role in overseeing company risks, including how the board administers its oversight function and the effect this has on the board’s leadership structure. With the 2018 guidance, the SEC emphasizes the board’s role in monitoring and overseeing cybersecurity risk. The guidance implies that cybersecurity is clearly a board-level concern – not just a matter for the tech department.
La Fleur C. Browne, Associate General Counsel and Assistant Secretary, Church & Dwight says her firm’s board has a disclosure committee that regularly evaluates what needs to be included in disclosure statements. “Different people might view materiality differently. When the guidance first came down, our disclosure committee met with our IT department to review the guidance, discuss the types of threats they see, and explain that they should let the committee know what’s going on. IT has committed to report any cybersecurity incidents to the disclosure committee, which in turn determines whether the issue is material and should be disclosed.”
The head of IT now attends Church & Dwight Disclosure Committee meetings to provide updates on cybersecurity so the committee can have informed discussions. The disclosure keeps the CEO and CFO Informed about what IT is seeing and whether it’s material to the company. Our board also has a cybersecurity item on the agenda of every board meeting and has a deep dive discussion about cyber security at least once a year.”
Finally, the 2018 Guidance requires companies/directors to comply with laws regarding insider trading in connection with information about cybersecurity risks and incidents. Companies should have well designed policies and procedures to prevent insider trading based on cybersecurity risks and incidents.
Overall, in light of the 2018 Guidance, says Rasmussen, “It’s fair to say that we can expect the SEC will take a closer look at cybersecurity disclosures by public companies. Issuers must anticipate the questions the SEC will have. And the SEC has indicated that it will emphasize risk factor disclosures, the timely disclosure of cyber incidents, insider trading controls and the effectiveness of the company’s data security policies and internal accounting controls. We can expect to see greater enforcement activity based on inadequacies in these areas of disclosure.”