The U.S. Securities and Exchange Commission (“SEC”) recently released interpretive guidance regarding issues and risks related to cybersecurity for the first time since 2011. The guidance, released February 21, comes on the heels of a series of public statements from the SEC relating to the adequacy of disclosures concerning cybersecurity, as well as a number of well-publicized incidents where insider trading has occurred after the occurrence, but prior to the disclosure, of a significant cybersecurity incident.
Critical action items emanating from the SEC guidance include:
Issues to Consider in Drafting Cybersecurity Risk Factors
- Conduct a periodic enterprise security risk assessment either annually or such other time period (e.g. bi-annually or every three years) as needed for your company and industry.
- Consider whether the impact of cybersecurity risks, incidents, and related compliance and remediation costs are material such that they should be addressed in disclosures beyond just the risk factors.
- Draft risk factors to include all aspects of cybersecurity ranging from occurrence of incidents to existing costs associated with protecting against risks. Avoid generic, catch-all risk factors.
- Review and enhance disclosure controls and procedures to ensure that appropriate members of senior management are informed of cybersecurity incidents.
- Review previously filed disclosures under the lens of the ongoing duties to correct and update them based on your company’s experience with cybersecurity issues.
The SEC appears to be taking a dim view of many companies’ risk factor disclosures around cybersecurity. To better inform and protect investors, the SEC offered eight criteria for companies to evaluate in crafting cybersecurity risk factor disclosure:
Cybersecurity-related Disclosures May Be Needed Beyond Risk Factors
- The occurrence of prior cybersecurity incidents, including their severity and frequency.
- The probability of the occurrence and potential magnitude of cybersecurity incidents.
- The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks.
- The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks.
- The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers.
- The potential for reputational harm.
- Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies.
- Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
The SEC reminded companies that while SEC disclosure rules do not expressly refer to cybersecurity risks and incidents, companies have a general obligation to disclose in their registration statements and periodic filings all material facts required to be stated in such filings to make the filings not misleading. To that end, companies should consider the materiality of cybersecurity risks and incidents, and disclose cybersecurity issues that may be viewed as material to investors, including the financial, legal or reputational consequences of any incidents.
Thus, the updated guidance noted that such disclosures may be warranted for certain companies in their business sections as well as in the legal proceedings and financial statement footnote disclosures, among other potentially applicable disclosures. For example, if cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure in accordance with Item 101 of Regulation S-K. Companies should also disclose information relating to any material legal proceedings to which they or their subsidiaries are a party, including any such proceedings that relate to cybersecurity per Item 103 of Regulation S-K. Companies should be mindful that cybersecurity incidents may result in expenses related to investigation, loss of revenue, claims related to warranties of breach of contract, or impairment of assets, all of which may need to be disclosed in the notes to financial statements.
Disclosure Controls & Procedures | Insider Trading
Further, the guidance encouraged companies to ensure the sufficiency of their disclosure controls and procedures as they relate to cybersecurity issues and related disclosures. In particular, the SEC noted the importance of establishing procedures that would have the effect of treating cybersecurity incidents like any other potentially material development, and enabling the appropriate internal teams to determine whether to impose trading blackouts on insiders while investigation or assessment of a cybersecurity issue or risk is pending, or prior to the public disclosure of the same.
The Ongoing Duties to Correct & Update Existing Disclosures
Finally, the SEC’s guidance included a reminder of the ongoing duties to update and correct prior disclosures, including those surrounding cybersecurity issues. For example, if a company states that it is not aware of any cybersecurity breaches, but subsequently discovers contradictory information that existed at the time the initial disclosure was made, the company has a duty to correct the disclosure. Companies should also be mindful of updating existing disclosures to account for information that may have changed over time.