SEC Releases New Guidance on Cybersecurity Disclosures for Public Companies

The recent spate of high-profile cybersecurity breaches has not spared public companies, as demonstrated by large data breaches in recent years involving Equifax Inc. (NYSE: EFX) and a multitude of other companies.  In response to the proliferation of cybersecurity threats to public companies, on February 21, 2018, the SEC released interpretive guidance to assist companies in preparing disclosures about cybersecurity risks and incidents.  The release, which expands upon the staff’s 2011 guidance and addresses several new topics, was adopted unanimously by the full SEC and, therefore, carries significant weight.

As the SEC release makes clear, in order to meet their ongoing disclosure requirements, public companies should adequately and timely disclose any and all material cybersecurity risks and incidents in their registration statements and in their periodic and current reports.  Public companies must weigh the potential materiality and likelihood of identified risks and, in the case of cybersecurity incidents, the importance of any compromised information and the impact on their operations.  Further, the SEC encourages the use of Forms 8-K and 6-K to promptly disclose cybersecurity risks and incidents, as it will help to reduce the risks of selective disclosure and insider trading.  The SEC guidance indicates that, although some time may be needed to discern the scope and implications of a cybersecurity incident, an ongoing internal or external investigation would not, on its own, provide a basis for avoiding disclosures of a material cybersecurity incident.  The release includes specific guidance on a number of disclosure elements required by Regulation S-K and Regulation S-X, including risk factors, management discussion and analysis, description of the business, legal proceedings, financial statements and board risk oversight.

The SEC views cybersecurity risk management policies and procedures as key elements of enterprise-wide risk management, and public companies are therefore encouraged to adopt comprehensive policies and procedures related to cybersecurity.  In particular, public companies should assess whether their disclosure controls and procedures are sufficient to ensure that relevant information regarding cybersecurity risks and incidents is processed and reported to the appropriate personnel, so that senior management are capable of making disclosure decisions and certifications in light of known cybersecurity risks and incidents. In the event that a public company becomes aware of a material cybersecurity incident or risk, timely and sufficient disclosure should be made prior to the offer and sale of any securities, and the company should take steps to prevent directors and officers (and other corporate insiders aware of the issues) from trading its securities until investors have been appropriately informed.

Turning to the well-known Equifax data breach that came to light in 2017, four Equifax executives were found to have traded company shares after the date that the breach was discovered but before Equifax went public with the disclosure (the executives were ultimately cleared by a special committee comprised of independent board members).  If the Equifax leadership had had the benefit of the recent SEC guidance, they may have avoided some of the fallout by (a) adopting disclosure controls and procedures to ensure that senior management is informed promptly, (b) more promptly disclosing the existence of the breach and (c) taking steps to prevent corporate insiders from making trades.  Going forward, in order to minimize the risk of insider trading concerns, public companies should strive to disclose material risks and incidents as soon as is reasonably possible after discovery, and companies should consider implementing a “blackout period” or otherwise limiting the ability of directors, executive officers and other insiders to trade shares prior to the public disclosure of a material cybersecurity incident or risk.  Further, given the extensive cybersecurity disclosure guidance adopted by the SEC, we expect that the SEC will be placing more emphasis on cybersecurity disclosures in the coming years, with an attendant increase in cybersecurity-related comments on public companies’ periodic disclosures and registration statements.