By Jacquelyn Lumb
The SEC has issued new interpretive guidance relating to registrants’ cybersecurity disclosure obligations under the federal securities laws. The guidance updates the interpretive release issued in 2011, elevates it from the staff to the Commission level, and includes two new topics about the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context. Chairman Jay Clayton issued a statement in which he urged public companies to examine their controls and procedures, not only with their securities law requirements in mind, but also the reputational considerations around the sales of securities by executives. The guidance is effective upon publication in the Federal Register (Release No. 33-10459, February 21, 2018).
Given the frequency, magnitude, and cost of cybersecurity incidents, the guidance notes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks in a timely fashion. In order to make the required disclosure, the guidance advises that disclosure controls and procedures should provide a method for determining the impact on a company’s business, financial condition, and results of operations.
Risk of insider trading. The guidance also warns that officers, directors, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge about a significant cybersecurity incident. Public companies should have policies and procedures to guard against insiders taking advantage of the time between the discovery of a cybersecurity incident and the public disclosure of the incident.
Selective disclosure. The guidance also reminds companies to refrain from making selective disclosure of material nonpublic information about cybersecurity risks or incidents. The Commission considers omitted information material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or if the disclosure of the omitted information would have been viewed by the reasonable investor to have significantly altered the total mix of information that was available.
Delays in disclosure. A company is not expected to make detailed disclosures that could compromise its cybersecurity efforts, but it must disclose risks and incidents that are material to investors, including the potential financial, legal, or reputational consequences. The SEC recognizes that it may take some time to determine the full implications of an incident and it may be necessary to cooperate with law enforcement, which could affect the scope of the disclosure. The guidance added, however, that an ongoing internal or external investigation would not on its own provide a basis for avoiding the disclosure of a material cybersecurity incident.
Duty to correct. Companies also have an obligation to correct any disclosures that subsequently are determined to be untrue at the time they were made, so they should consider revisiting previous disclosure while investigating a cyber incident.
Unanimous approval, with reservations. The SEC had originally scheduled an open meeting for February 21, 2018 at which the cybersecurity guidance was to be considered. However, the commissioners unanimously approved its adoption seriatim on February 20. Commissioner Robert Jackson issued a statement that his support was given reluctantly. Jackson said he hoped the guidance was just the first step in countering those who use technology to threaten our economy. He noted that the effectiveness of the 2011 staff guidance has frequently been questioned, and that many have raised concerns about under-reporting due to differing interpretations of materiality.
Commissioner Kara Stein also released a statement in which she noted that during a roundtable discussion on cybersecurity issues, a number of participants criticized cybersecurity disclosure because it was mostly boilerplate language that did not provide meaningful information to investors. She expressed disappointment in the Commission’s limited action in issuing the guidance.
While the updated guidance may provide valuable reminders since the 2011 guidance and raises it to the Commission level, she questioned whether it would actually help companies provide investors with “comprehensive, particularized, and meaningful disclosure about cybersecurity risks and incidents,” and concluded that it likely would not. She said there is so much more the Commission could have done, including engaging in rulemaking rather than mere guidance.