Practice Note: SEC Issues Updated Guidance on Cybersecurity Disclosures by Public Companies

2/21/2018 - On February 21, 2018, the United States Securities and Exchange Commission (“SEC”) published Interpretive Release ("IR") 33-10459, which provides guidance on disclosures from public companies relating to cybersecurity risks and incidents.  The release emphasizes the important role played by a company's internal policies and procedures related to cybersecurity risks and incidents in satisfying the company's disclosure obligations.  The IR warns companies and their directors, officers, and other corporate insiders about trading in a company’s securities while in possession of non-public information about cybersecurity risks and incidents, including vulnerabilities and breaches.  The SEC periodically publishes interpretive releases as a means of expressing its views and interpreting the federal securities laws and SEC regulations.  This IR follows and updates an October 2011 release about cybersecurity issues. 

Recognizing that “[i]n a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the [SEC],” the new guidance stresses that companies should disclose material cybersecurity risks and incidents in a timely fashion.  And timely disclosure requires companies to maintain “disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”  According to the IR, whether cybersecurity risks or incidents are material “depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” Materiality also depends on “the range of harm that such incidents could cause.”  As for the content of any disclosure, the IR explains that while the SEC does not expect a level of detail that would compromise a company’s cybersecurity efforts or reveal the inner workings of its cybersecurity systems, it does expect a timely disclosure of material information that includes the “the concomitant financial, legal, or reputational consequences” of any cybersecurity risk or incident.  Companies are cautioned to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” 

According to the IR, while disclosures can be made in a number of ways, the SEC encourages companies to use Form 8-Ks or Form 6-Ks (reporting current material events) to make a timely disclosure of such information rather than waiting for the next scheduled periodic filing such as a Form 10-K (annual report) or 10-Q (quarterly report).  The SEC believes a timely disclosure of material information related to a cybersecurity incident will reduce the likelihood of selective disclosure and insider trading concerns.  And while the SEC recognizes that all of the material facts may not be available at the initial disclosure of a cybersecurity incident and a company may need more time to determine the implications of the incident or to cooperate with law enforcement in an ongoing investigation, the IR emphasizes that “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”  This seems to suggest that once a company suffers a material cybersecurity incident, it should make a disclosure of as much information as is possible to inform investors of that incident and any potential consequences of the incident.  Companies then have an ongoing duty to correct or update any prior disclosure as more information becomes available.

With respect to insider trading, the IR explains that material information concerning cybersecurity risks and incidents may constitute material nonpublic information, and directly warns that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”  The SEC cautions that companies would be “well served” to consider the potential ramifications of allowing insider trading in advance of disclosures regarding cyber incidents “that prove to be material” and may need to consider when and whether it may be appropriate for a company that suffers a cybersecurity incident to enact insider trading restrictions while assessing the “underlying facts, ramifications and materiality” of the incident so as to avoid the appearance of improper trading after the incident but before its disclosure.   

This new SEC cybersecurity disclosure guidance follows the much-publicized data breach at Equifax that occurred from mid-May through July 2017, but was not disclosed by the company until September 2017.  In that case, Equifax insiders sold over $1.8 million of Equifax stock in the days after the data breach was initially discovered, but before public disclosure of the breach.  While an internal company investigation cleared the executives of any wrongdoing, the insider sales are reportedly still under investigation by the United States Department of Justice.

Click here for the full text of the SEC's guidance.