Tuesday, December 05, 2017

Corporation Finance staff is working on update to cybersecurity disclosure guidance

By John Filar Atwood

The staff of the Division of Corporation Finance is developing new guidance for companies’ handling of cybersecurity disclosure. Division Director Bill Hinman said at Practising Law Institute’s securities regulation conference that when Chairman Jay Clayton first asked him if the existing guidance needed to be refreshed, he did not think so. After reviewing the disclosure on more recent cyber events, Hinman changed his mind.

The existing cybersecurity guidance on disclosure is principles-based and was developed in 2011. Hinman said the 2011 guidance is still relevant, but the staff is working on updates in certain areas. The staff will look carefully at what companies are disclosing about their preparation for an attack and how they handled the event itself.

Among other things, the new guidance will ask companies to look at their disclosure controls in the area of cybersecurity, he said. The staff believes that a hallmark of good controls is a procedure that ensures that the IT department and management are talking to each other when a cyber event happens, he noted. The staff wants to see that when a breach occurs, the event is being reviewed by the proper levels of management, he added.

The new guidance also will include a reminder that with escalation procedures in place, a breach could rise to the level of a “material” event, Hinman said. As a result, companies would be wise to review their insider trading policies, and to re-emphasize the restrictions on insider trading, he noted.

Non-GAAP disclosure. Hinman was joined in a panel discussion on Corporation Finance hot topics by the Division’s director of disclosure operations, Shelley Parratt. She said that after much activity in the area of non-GAAP disclosure, she believes the staff is moving into a period where it will largely leave the issue alone. There will still be comments provided on non-GAAP financial measures that the staff finds troubling, she noted, but it will not be as prominent an issue as in the recent past.

Personally identifiable information. Parratt also discussed the October 11 FAST Act-related proposals, particularly the proposal dealing with personally identifiable information (PII). The proposed rule changes would create efficiencies in the process to seek confidential treatment for commercially sensitive or confidential information, including PII. The proposals would permit registrants to omit from material contract exhibits confidential information that is not material and would cause competitive harm if publicly disclosed, without having to request confidential treatment from the Commission.

Companies would be permitted to omit PII in all cases without submitting a confidential treatment request. Under the proposals, exhibits would continue to be subject to review, and the staff would assess whether redactions appear to be appropriate.

Parratt said that the proposal seeks to codify what has already been staff practice. The staff wants companies to redact the exhibit information for which they otherwise would ask for confidential treatment, and to eliminate the long explanation process otherwise associated with the confidential treatment request, she said.

According to Parratt, the proposal is designed to lessen the compliance burden on companies, and to lessen the information protection burden on the staff. The staff has protocols in place to maintain confidential information, and uses very rigorous procedures to protect the information, she said. Not having that information in-house will make it easier on the staff, she noted. She cautioned that if the proposals are adopted, the staff will monitor their use to ensure that companies are “not getting greedy with their redactions.”

Resource extraction. Hinman also briefly touched on the issue of resource extraction disclosure, noting that the staff is working on a proposal in this area. The existing rule was disapproved under the Congressional Review Act in February, giving the SEC one year to develop a new rule. Hinman said that the staff has met with interested groups, and is working to come up with a proposed new approach to resource extraction disclosure by February 14.