The Securities and Exchange Commission (“SEC”) has issued extensive interpretation advice (“2018 Guidance”), released on February 21, 2018, building further on its far-reaching cybersecurity guidance provided in 2011. Below are four key points that will be critical to complying with federal securities laws securities in the future.
1. The SEC recognizes that effective cybersecurity has never been more important to financial markets and our country.
In the wake of the Equifax breach, it’s no surprise that the SEC acknowledges that “[c]cybersecurity risks pose serious threats to investors, our capital markets and our country” and that “the importance of data management and technology for business is analogous to the importance of electricity and ‘other forms of energy over the last century’.
The SEC understands that a lack of cybersecurity and resulting cybersecurity incidents will result in the destruction of shareholder value, and it is seriously considering using its authority to reduce this risk. By reminding businesses that[c]Cybersecurity risk management policies and procedures are key components of enterprise-wide risk management, including with respect to compliance with federal securities laws,” the SEC made clear. that compliance should begin at the policy and procedure level, not when a material adverse cybersecurity event occurs.
2. Adequate cybersecurity controls are necessary to comply with mandatory disclosures of material cybersecurity incidents under federal securities laws and to prevent insider trading based on material nonpublic information.
The SEC continues to emphasize that federal securities laws require (a) mandatory disclosure of material cybersecurity events and (b) that companies have a duty to prevent insider trading, which includes transactions made on material non-public information involving cybersecurity incidents.
Compliance will not be possible without effective underlying controls that are in place and executed before a significant cybersecurity event occurs. According to the SEC:
Disclosure controls and procedures that provide an appropriate method for discerning the impact these matters may have on the business and its business, financial condition and results of operations, as well as a protocol for determining the potential materiality of these risks and incidents.
Implementing such controls will require cooperation between information technology, finance, operations and those who generally manage risk on an ongoing basis. Siled compliance functions will not suffice.
Further building on this effort, companies should create and execute a set of controls that reduce the risk of insider trading-based cybersecurity incidents by “protecting[ing] against company directors, officers, and other insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to exchange material, non-public information about the incident. Interested parties should bear in mind that such controls aimed at preventing insider trading may not be as effective as the initial set of controls used to determine which incidents are material in the first place.
3. Companies can use the SEC factors provided to help determine what is material. Generally speaking, the more damaging, costly and problematic a cybersecurity incident is, the larger it is likely to be.
The SEC has provided expanded guidance on what cybersecurity incidents will be considered material. Companies should analyze a given cybersecurity incident using the factors provided by the SEC below:
a. Remediation costs, including “liability for stolen assets or information, system damage repairs, and incentives to customers or business partners to maintain relationships after an attack;”
b. Increased cybersecurity protection costs, which may include costs related to organizational changes, deployment of additional personnel and protective technologies, employee training, and engagement of third-party experts and consultants;
vs. Loss of revenue resulting from unauthorized use of proprietary information or inability to retain or attract customers following an attack;
D. Litigation and legal risk, including regulatory actions taken by state and federal agencies;
e. Increase in insurance premiums;
F. Damage to reputation; and
g. Damage to the company’s competitiveness, share price and long-term shareholder value.
Although the analysis depends on the specific cybersecurity incident at issue, businesses can rest assured that the greater the expense, damage, and risk created by the incident, the more likely it is to be considered significant. The use of these factors and the prophylactic documentation of an enterprise-level materiality determination will depend on the pre-existing adequate cybersecurity controls discussed in the previous section.
4. Companies should focus on disclosing information that will allow investors to appreciate why a security incident is material. However, companies do not need to disclose technical information that could put their cybersecurity at risk, and the SEC will not accept an internal or external investigation without more as reason to delay a material cybersecurity disclosure.
What should companies disclose for effective disclosure of a material cybersecurity incident? Companies should strive to inform investors in a way that allows them to assess risk in light of the factor framework in the previous section. Companies do not need to divulge technical information that could provide a “roadmap” to a potential attacker. The SEC recognizes that such detailed technical information is unlikely to help investors assess investment risk and could expose companies to additional risk.
However, companies seeking to delay a material disclosure should be cautious, as “an ongoing internal or external investigation – which can often be lengthy – would not alone provide a basis for avoiding disclosure of a material cybersecurity incident. “. This means that law enforcement investigations may not serve as a means to delay disclosure, particularly where a material disclosure could be made without revealing sensitive technical details.
5. Companies have a duty to update their information regarding material cybersecurity incidents following ongoing investigations.
The SEC has reminded companies that they must update information that becomes materially inaccurate, including when the statement is still in use by reasonable investors. For example, subsequent investigation may reveal additional material facts or reveal that certain disclosures provided were based on incomplete findings.
©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC All rights reserved.National Law Review, Volume XII, Number 98