SEC Issues Guidance on Cybersecurity Disclosure
SEC ISSUES GUIDANCE ON CYBERSECURITY DISCLOSURE
March 1, 2018 | The Securities and Exchange Commission (SEC) has issued interpretive guidance to assist public companies in preparing disclosures related to cybersecurity risks and incidents. The guidance represents the first of its kind released by the full Commission on the topic of cybersecurity for public companies.
The 2018 interpretative release expands on guidance from 2011, which first outlined cybersecurity disclosure obligations. The latest interpretation also addresses two topics not previously developed by SEC staff: the importance of establishing and maintaining internal procedures that support the timely and accurate disclosure of cybersecurity events, and the application of insider trading prohibitions in the cybersecurity context.
The guidance encourages a tailored approach to disclosure devoid of standardized language and static requirements. All items of potential consequence to investors, including anticipated financial, legal, or reputational implications, should be revealed in a timely and ongoing manner, with updates provided as information becomes available. Key highlights and recommended practices include:
- Previous, ongoing, or potential cybersecurity risks involving suppliers, customers, and competitors, including those connected to an acquisition, should be considered in risk factor disclosures
- Companies should install and maintain procedural mechanisms to ensure cybersecurity risks are reported to executives for proper disclosure while simultaneously enforcing policies that prohibit insider trading
- Executive disclosure certifications should account for the impact cybersecurity risks have on the company’s processes for assembling and reporting disclosures and consider if those risks render disclosure protocols ineffective
- The nature of a board of directors’ role in managing cybersecurity risks, when those risks represent a substantial part of company operations, should be disclosed to investors for proper assessment
- In accordance with Regulation FD, companies should not disclose nonpublic information, including cybersecurity issues, to selective groups before disclosing it in the public forum
- Insider trading policies and codes of ethics should be evaluated in a cybersecurity context, with additional trading protections considered during times of cybersecurity risks and incidents
The interpretive release will promote timelier and more robust disclosure, said SEC Chairman Jay Clayton, enabling investors access to the latest and most complete information available. The statement and interpretation come at a time when data breach incidents are at an all-time high, signaling the SEC’s intention to play a more significant role in protecting investors in an unpredictable cybersecurity landscape.