“To win a race, the swiftness of a dart availeth not without a timely start.”
~ Jean de La Fontaine
The Securities and Exchange Commission (the “Commission”) Wednesday announced updated cybersecurity guidance for public companies. This guidance reinforces the Division of Corporation Finance guidance issued in October 2011 and expands upon it to include two new topics: (i) the importance of cybersecurity policies and procedures and (ii) the application of insider trading prohibitions in the cybersecurity context. The guidance itself and early reactions make it evident that the Commission is committed to aggressively regulating this area over the long haul.
With this enhanced guidance, the Commission has taken another step forward in the ongoing race to keep up with, if not outpace the threat that cybersecurity incidents represent for investors, capital markets, and the country. The guidance makes clear that companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of cybersecurity risks and incidents. Companies are required to assess whether they have sufficient disclosure controls and procedures to ensure that relevant information about cybersecurity risks and incidents is processed and reported internally, including up the corporate ladder. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations, including certifications by senior management, under the federal securities laws.
In our digitally connected world, the goal is not merely specific disclosures required. Instead, companies must focus on timely and efficacious disclosure policies and controls in order to win the race against inside traders, hacktivists and other bad actors as they advance cyberattacks or act on knowledge of same.
Key guidance highlights include:
Entry level requirements.
- Cybersecurity Disclosure is More Than Just a Risk Factor. The Commission emphasized that companies should consider the materiality of cybersecurity risks and incidents when preparing disclosure documents. Disclosure regarding cybersecurity should also be considered and made, when appropriate, in MD&A, Result of Operations, Description of Business, Legal Proceedings, Financial Statement Disclosures and Board Risk Oversight.
- The Board Cannot Run Away From Risk Oversight. The extent of disclosure of the board of directors’ role in company risk oversight remains a critically important area of concern. To the extent cybersecurity risks are material to a company’s business, the board’s oversight role in managing cybersecurity risks must be included in discussions and descriptions to investors. The Commission states that disclosures regarding the company’s cybersecurity risk management program and how the board engages with management on cybersecurity should be included to allow investors to assess how the board is discharging its risk oversight responsibilities.
- Put in Policies, Procedures and Disclosure Controls So The Company Stays In Its Lane. The Commission states that cybersecurity risk management is a key element of effective enterprise-wide risk management, including as it relates to compliance with securities laws. Ongoing assessment of the effectiveness of disclosure controls and procedures after implementation is critical to ensuring that relevant information about cybersecurity risks are evaluated and incidents are reported to appropriate personnel all the way up to executive management. Executive management must be enabled with the necessary knowledge to make disclosure decisions and certifications, specifically relating to internal controls over financial reporting required by Section 404 of the Sarbanes-Oxley Act of 2002, and to facilitate or strengthen policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents
How Not to Gain a Lead in the Race. Don’t keep secrets. Insider trading continues to be prohibited. The guidance includes a concerted focus on trading prohibitions under the general antifraud provisions of the federal securities laws, and the obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks and incidents. There is also the expectation that companies take steps to prevent insider trading based upon awareness of cybersecurity risks or insider knowledge prior to disclosure to investors. This includes a duty to correct prior disclosures when necessary.
It’s a Marathon Not a Sprint. Some, including at least two Commissioners, say there is more to be done. Democratic Commissioner Kara Stein supported the guidance but advocated that more can be done, including exploring implementing time frames for disclosure of breaches to investors. Democratic Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus, wholeheartedly supported her via Twitter: “there’s a lot more that can – and must –be done.” Interestingly, this was issued as guidance and not as part of official rule-making and as such leaves a lot of room for ambiguity and uncertainty as to how to respond. Should companies be establishing separate cybersecurity committees or subcommittees consisting of members with expertise in cybersecurity risks and incident response similar to the requirements imposed with respect to audit committees? Would it be advisable for public companies to include cybersecurity assessments on an annual or more frequent basis as part of their financial reporting audit process? How will D&O and cybersecurity insurance underwriters respond to this – will it result in increased premiums or more stringent underwriting processes? While as noted above, some think this guidance did not go far enough, by regulating cybersecurity risks through disclosure and putting the onus on management by tying to Section 404 of the Sarbanes-Oxley Act of 2002, it may actually have gone much farther than most companies are ready for based on current practices.
On that note, while this guidance was issued solely by the Commission, a significant consideration for corporations is that it is not unusual for the Department of Justice to work in coordination with the SEC on matters of corporate compliance. For example, corporations have been influenced for years on Foreign Corrupt Practices Act policies by the guidance issued jointly by the SEC and DOJ.