United States: SEC Provides New Guidance To Public Companies On Cybersecurity Disclosure Obligations

The SEC issued interpretive guidance intended to help public companies prepare disclosure statements about cybersecurity risks and incidents.

Expanding on guidance provided in 2011, the SEC reminded companies that they should take into account the materiality of cybersecurity risks and incidents when preparing disclosures. Materiality may depend upon the nature and significance of cybersecurity risks or incidents, as well as harm that results from such events. The SEC does not expect companies to disclose information that may expose systems to potential cybersecurity incidents. The SEC further identified important risk factors for companies to consider when preparing their disclosures, including the circumstances of prior incidents, the nature of business operations, the potential for harm and the adequacy and costs of cybersecurity protections. The SEC emphasized that companies are required to disclose both past and ongoing cybersecurity incidents. The SEC also outlined various other rules and requirements that may obligate companies to disclose cybersecurity-related information.

The guidance addresses two new topics: (1) the importance of cybersecurity policies and procedures, and (2) the application of insider trading prohibitions in the cybersecurity context. As it does with other compliance regimes, the SEC expects public companies to maintain comprehensive policies and procedures related to cybersecurity that are assessed regularly. Companies must also implement disclosure controls and procedures to ensure that relevant information about cybersecurity risks and incidents are processed and reported quickly and accurately to senior management. In addition, the SEC warned companies and their insiders to be mindful to comply with insider trading laws in connection with cyber vulnerabilities and breaches. The SEC notes that such information may be material nonpublic information, the trading of which would violate the antifraud provisions. The SEC encourages companies to consider incorporating this warning in their code of ethics and insider trading policies.

Commentary / Joseph V. Moreno

In the wake of the Equifax data breach and other headline-inducing cyber events in the past year, it is just a matter of time before the SEC brings a disclosure action focused on whether a public company has adequately informed investors about cybersecurity risks and incidents. If companies were not already on notice, they should pay careful heed to the new guidance and apply the same best practices to a cybersecurity compliance program as they do to anti-bribery (FCPA) and anti-money laundering (AML/BSA) regimes – namely, written policies and procedures, adequate controls and resources, regular benchmarking and pressure-testing, employee training and reporting, and a proper tone at the top. And, as the new guidance points out, companies must also implement measures to prevent trading on the basis of material non-public information, including information relating to cyber risks and events.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.