By John Filar Atwood
Bill Hinman, director of the SEC’s Division of Corporation Finance, said the staff is looking closely at companies’ risk disclosure surrounding cybersecurity in this year’s filings following the update to the SEC’s cyber guidance that was issued in February. At the PCAOB’s recent Standing Advisory Group meeting, he noted that some aspects of the guidance have been controversial, so he explained some of the Commission’s thinking behind the guidance.
Hinman said that the staff wanted to focus the guidance on a few areas to which it wanted to draw more attention. The first area was internal controls and how companies were designing internal controls so that when a cyber incident occurs, there were the right procedures in place to escalate the issue.
Companies should not just have IT personnel looking at cyber risks anymore, he said. The issues now should be brought to the attention of disclosure experts at the company, as well as the general counsel. Hinman said the staff wanted to remind companies that they should have procedures in place that would cause escalation to occur, so it was added to the guidance.
Trading by insiders. One controversial aspect of the guidance has been the staff’s advice on companies’ trading policies, he said. The staff has found that companies are still trying to understand what the staff meant by this section of the guidance, he noted.
Hinman said that the staff believes that escalating a cyber issue gives a company the opportunity to think about what the implications are for its trading policy. The guidance says that as a company escalates cyber incidents through the disclosure team, it should bear in mind that the information may be material and the company will want to be issuing disclosures. He acknowledged that sometimes it hard to determine what is a material attack and what is not.
Hinman said that at some point a company might want to have a prophylactic policy that says that its officers, directors, and anyone with actual knowledge of a cyber incident is prevented from trading in the company’s shares. At a minimum, a company should counsel people about not trading while the company is sorting out whether the incident is material, he added.
There have been a number of high profile situations where Congress has gotten excited and consumers have been offended by companies’ cyber incidents, he noted, and legislation has been proposed in this area. In writing the cyber guidance, the staff thought it made sense for a company to get out ahead of the issue, and maybe avoid a bright line congressional approach, by thinking about how it wants to advise its insiders who may want to trade while the company is deciding if the information is material.
Hinman said that when a company has an incident where there is a reasonable chance that it will be material, it should consider whether it wants to block trading by insiders in the way that it might block trading at the end of a quarter. He acknowledged that it can be difficult for companies to work with this part of the guidance because so many incidents occur. The staff recognizes that it is asking a lot of the companies when it suggests that that is something to bear in mind, he said, but the staff believes it is something about which companies should be thoughtful.
In the guidance, the staff also asked for a little more disclosure on what the board’s oversight role is, according to Hinman. It reminded companies of the general requirement to disclose how the board approaches various risk management areas. If cybersecurity is an area where a company thinks it may have material risks, then it should work that into its disclosure, he said, adding that the staff is reviewing for that this year.
GDPR rules. With regard to the EU’s General Data Protection Regulation (GDPR), Hinman noted that they are designed to protect a company’s email user and not its investors. The Commission views the issue from the perspective of whether it is going to be material to investors, he said.
GDPR does have implications a lot of SEC registrants, he stated. A company has to think about how the regulation may impact its business plan, including considering possible fines for non-compliance, which may be up to two percent of annual sales.
In GDPR, there are also some very rigid rules around disclosures to individuals whose information may have been compromised, he said. He advised that even in situations where there may be small groups whose information is compromised, if a company is disclosing under the GDPR rules that it has had a breach it will have implications for how the company wants to manage its U.S. public disclosure.