SEC Issues Guidance on Public Company Cybersecurity DisclosureThe US Securities & Exchange Commission (SEC) has issued new guidance to public companies regarding cybersecurity disclosures in their SEC filings.1
The guidance urges companies to consider the need to describe cybersecurity risks and incidents in their risk factors, MD&A, business description, legal proceedings disclosure, financial statements and board risk oversight disclosure in periodic reports and registration statements. The guidance states that companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel to enable senior management to make disclosure decisions and certifications.
The SEC also states that companies and their directors, officers and other corporate insiders should be mindful of complying with insider trading laws in connection with information about cybersecurity risks, incidents, vulnerabilities and breaches, including in the period following discovery of an incident and before public disclosure has been made.
The SEC guidance is effective immediately and applies to both domestic US companies as well as foreign private issuers.
Cybersecurity DisclosureAlthough the SEC’s disclosure requirements do not specifically refer to cybersecurity risks and incidents, the SEC guidance states that the SEC believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
- Risk factors. In 2015, over 88% of Russell 3000 companies disclosed cybersecurity as a risk.2 The SEC guidance states that companies should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among the most significant factors that make investments in the company’s securities speculative or risky.3
- MD&A. The average organizational cost of a data breach in the US in 2016 was $7.35 million based on a sample of 419 companies in 13 countries.4 The SEC release states that companies must discuss events, trends or uncertainties that are reasonably likely to have a material effect on its results of operation, liquidity or financial condition and that this analysis could be informed by the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents. The SEC guidance also states that companies may also consider the various costs associated with cybersecurity issues, including loss of intellectual property, the immediate costs of the incident, as well as the costs associated with implementing preventative measures, maintaining insurance, responding to litigation, preparing for and complying with proposed or current legislation, engaging in remediation efforts, addressing harm to reputation, and the potential loss of competitive advantage. The SEC also expects companies to consider the impact of such incidents on each reportable segment.
- Business. Companies must provide appropriate disclosure as part of their general business description if cybersecurity incidents or risks materially affect the company’s products, services, relationships with customers or suppliers or competitive conditions.
- Legal proceedings. Companies must disclose in their annual and quarterly reports, and registration statements, material pending legal proceedings, including any such proceedings that relate to cybersecurity issues. The SEC guidance also states that, if a company experiences a cybersecurity incident involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe such litigation.
- Financial statements. The SEC expects that a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.
- Board risk oversight. U.S. domestic companies must disclose the extent of the board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to the company’s business, the discussion of board risk oversight should include the nature of the board’s role in overseeing the management of the cybersecurity risk.
- Materiality. In addition to disclosure required by specific rules, companies are required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material “if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”
- o The SEC guidance states that the materiality of cybersecurity risks or incidents depends on their nature, extent and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause, including harm to the company’s reputation, financial performance and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions.
- Companies do not need to make detailed disclosures that could compromise their cybersecurity efforts – such as by providing a roadmap for those who seek to penetrate the company’s security protections.
- A company may need time to discern the implications of a cybersecurity incident. Cooperation with law enforcement could affect the scope of disclosure regarding an incident. However, the SEC guidance states that an ongoing internal or external investigation, which may be lengthy, would not on its own provide a basis for avoiding disclosure of a material cybersecurity incident.
- NYSE/Nasdaq requirements. The SEC guidance reminds companies listed on the NYSE or Nasdaq that the NYSE requires listed companies to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities” and Nasdaq requires listed companies to “make prompt disclosure to the public of any material information that would reasonably be expected to affect the value of its securities or influence investors’ decisions.”
- Duty to update/correct. The SEC guidance reminds companies that they may have (1) a duty to correct prior disclosure that the company determines was untrue at the time it was made – for example, if the company subsequently discovers contradictory information that existed at the time of the initial disclosure – or (2) a duty to update disclosure that becomes materially inaccurate after it is made – for example, when the original statement is still being relied on by reasonable investors.5
The SEC guidance states that companies should regularly assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
The company’s disclosure controls and procedures should enable the company to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors and make timely disclosures regarding such risks and incidents. Further, the CEO and CFO’s certifications as to the effectiveness of the disclosure controls should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.
The SEC guidance states that companies and their directors, officers and other corporate insiders should be mindful of complying with insider trading laws in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. Under SEC rules, it is illegal to trade a security on the basis of material nonpublic information about that security or issuer, in breach of a duty of trust or confidence that is owed directly, indirectly, or derivatively, to the issuer of that security or the shareholders of that issuer, or to any other person who is the source of the material nonpublic information. Information about a company’s cybersecurity risks and incidents could be material nonpublic information, and directors, officers and other corporate insiders cannot trade the company’s securities while in possession of that material nonpublic information (subject to the ability to sell in accordance with 10b5-1 plans).
The SEC also urges companies to consider whether and when to implement restrictions on trading while investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents. The SEC guidance states that companies should consider how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.
Stemming from a 2017 cyberattack on Equifax’s system, the SEC formally charged a former Equifax employee with insider trading on March 14, 2018. The former employee (who was an Equifax employee at the time of the alleged illegal trade) is facing civil penalties by the SEC and criminal penalties by the DOJ for the trade. The trade at issue occurred after the date that Equifax first learned of the cyberattack but prior to the date that Equifax publicly disclosed this information. Equifax entrusted the employee with information regarding a breach but told the employee it was a client who suffered a breach. It is alleged that the employee was able to deduce that Equifax was the victim and traded Equifax securities based on this conclusion.
Regulation FD also applies to the disclosure of information related to cybersecurity risks and incidents. Companies and persons acting on their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to investment professionals, and shareholders where it is reasonably foreseeable that the shareholder may trade in the issuer’s securities on the basis of the information, before disclosing this information to the public. The SEC expects companies to have policies and procedures in place to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively.
* The authors would like to thank Telisa Gunter for her work in preparing this memorandum.
 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-10459; 34-82746, 17 CFR §§ 229, 249 (Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.
 Willis Fortune 1000 Cyber Disclosure Report (Aug. 2013), available at http://blog.willis.com/wpcontent/uploads/2013/08/Willis-Fortune-1000-Cyber-Report_09-13.pdf.
 Specifically, the guidance states that companies should consider the occurrence of prior cybersecurity incidents, including their severity and frequency; the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks; the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks; the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers; the potential for reputational harm; existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity; and litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.
 Ponemon Institute and IBM Security, 2017 Cost of Data Breach Study: Global Overview (Jun. 2017), available at https://www.ponemon.org/library/2017-cost-of-data-breach-study-united-states.
 The SEC guidance acknowledges that U.S. federal courts have not been consistent on whether or not they support the existence of the duty to update.