Victim of a cyberattack? Here's what the SEC says you should do02.26.18
The Securities and Exchange Commission has released new guidance detailing how and when public companies should disclose cybersecurity breaches and threats.
The guidance comes in an environment where the threat of cyberattacks for companies is only expected to grow. Nearly one-third of all U.S. companies were victims of cybercrime in 2016, while another one-third were expecting to become victims in the next two years, according to a PricewaterhouseCoopers report.
One estimate has found that cybercrime will cost businesses upwards of $6 trillion per year on average through 2021.
Public companies should “examine their controls and procedures, with not only their securities law disclosure obligations in mind but also reputational considerations around sales of securities by executives,” SEC Chairman Jay Clayton said in a statement.
Correspondingly, the SEC's new guidance updates the SEC’s interpretative release on the topic issued in 2011 (CF Disclosure Guidance: Topic No. 2) with two new topics (as further delineated below) and addresses the application of insider trading prohibitions and the need for fulsome policies and procedures relating to cybersecurity issues.
In order to make the required disclosure, the guidance advises that disclosure controls and procedures should provide a method for determining the impact on a company’s business, financial condition and results of operations.
The average cost of a data breach to a business is now nearly $4 million per breach, according to Microsoft.
Specifically, the guidance outlines these factors:
Disclosure obligations and duty to correct: Companies must consider the materiality of cybersecurity risks when preparing required disclosure. In addition to the information expressly required, a company must disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC also specifically reminds companies, that “they may have a duty to correct prior disclosure" if they determine it was untrue or misleading or a "duty to update disclosure that becomes materially inaccurate.”
Risk factors: The SEC provided a non-exhaustive list of disclosures to be considered when developing a company’s risk factors disclosure: (1) previous cybersecurity incidents, (2) the probability and potential magnitude of cybersecurity incidents, (3) the adequacy of a company’s preventative actions, (4) the aspects of the company’s business that give rise to such risks, (5) the costs of maintaining and preventing cybersecurity incidents, (6) the potential for reputational harm, (7) the impact of existing or pending laws and regulations on cybersecurity and associated costs and (8) litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.
MD&A: Companies and their boards should consider and discuss the cost of ongoing cybersecurity efforts (including enhancement of current efforts), the costs and other consequences of cybersecurity incidents (including, but not limited to, loss of intellectual property, immediate costs, costs of measures, necessary insurance and reputational harm) and the risks of potential cybersecurity incidents.
Description of business: If a company’s products, services, relationships with customers or suppliers or competitive conditions can be materially affected by cybersecurity incidents or risks, the company must provide appropriate disclosure.
Legal proceedings: The obligation of companies to disclose information on pending legal proceedings extends to proceedings that relate to cybersecurity issues and incidents.
Financial statements: The SEC expects that “a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.”
Board risk oversight: If material to the business, the company should disclose the role of its board of directors in risk oversight for cybersecurity incidents.
Policies and procedures: In the past, companies may have refrained from or delayed disclosing information on cybersecurity incidents or measures on the grounds of compromising cybersecurity or ongoing internal or law enforcement investigations. The new guidance makes clear that these factors are not as important as timely discourse. Companies should also have policies and procedures in place to ensure that they (and those acting on their behalf) do not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents.
Disclosure Controls: The SEC encourages all companies to adopt detailed and comprehensive policies and procedures related to cybersecurity. These policies should also provide disclosure controls and procedures for cybersecurity issues so that information is processed and reported in a timely manner. These policies must be evaluated for effectiveness as well as their ability to “record, process, summarize, and report the information related to cybersecurity risks and incidents."
Insider Trading: The SEC also clarified that trading on material nonpublic information about cybersecurity risks or events before it is disclosed to the public is insider trading. Also, the SEC urged companies to consider revising their codes of ethics and insider trading policies to account for and prevent trading based on nonpublic information on cybersecurity risks and incidents.
Regulation FD and selective disclosure: Companies and those acting on their behalf, should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents. Generally, the SEC considers omitted information material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or if the disclosure of the omitted information would have been thought by a reasonable investor to have significantly altered the total mix of information that was available.
This guidance provides more clarity about the SEC’s views as to the disclosures that are required when cybersecurity incidents occur.
While this guidance should help companies communicate more clearly to investors, one commissioner noted that “the step the Commission took with respect to cybersecurity risks and incidents should only be its first.”