On February 21, 2018, the Securities and Exchange Commission (SEC) published new interpretive guidance to assist public operating companies in preparing required disclosures under the federal securities laws about cybersecurity. This new statement reinforces and expands on the SEC’s Corporation Finance Division’s October 2011 guidance. The release does not address the specific implications of cybersecurity to other regulated entities under the federal securities laws, such as registered investment companies, investment advisors, brokers, dealers, exchanges, and self-regulated organizations.
The release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Also, the Commission wants to remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general anti-fraud provisions of the federal securities laws, and of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.
- Materiality: Companies should consider the materiality of cybersecurity risks and incidents when preparing required disclosure materials including the annual reports on Form 10-K, quarterly reports on Form 10-Q, and registration statements. The Commission encourages companies to continue to use Form 8-K to disclose material information promptly, including disclosure pertaining to cybersecurity matters. Foreign private issuers are also required to make these same disclosures in their periodic reports on Form 20-F and their current reports on Form 6-K. The Commission expects companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences. The Commission also expects companies to provide disclosure that is tailored to their particular risks and incidents and companies should avoid generic cybersecurity-related disclosure. The guidance does not suggest a company should make detailed disclosures that could compromise its cybersecurity efforts — for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections.
- Risk Factors: Companies are required in registration statements and periodic reports to disclose the most significant factors that make investments in the company’s securities speculative or risky. Companies should disclose risks relating to cybersecurity, including among others: the occurrence of prior incidents; the probability of occurrence and the potential magnitude; the adequacy of prevention actions and associate costs; aspects of the company’s business and operations that give rise to risks and potential costs and consequences; the costs associated with maintaining protections, including insurance coverage if applicable; the potential reputational harm; and ligation, regulatory investigation, and remediation costs.
- Other Required Disclosures: In addition to their risk factors, companies should include disclosure relating to cybersecurity, as applicable, in the following sections of the periodic reports and registration statements: MD&A of Financial Condition and Results of Operations; Description of Business; Legal Proceedings, Financial Statement Disclosures; and Board Risk Oversight.
Disclosure Controls and Procedures, Insider Trading, and Regulation Fair Disclosure (FD) and Selective Disclosure
Companies should adopt comprehensive policies and procedures relating to cybersecurity and assess their compliance regularly, including the sufficiency of their disclosure controls and procedures for cybersecurity disclosure. The policies and procedures should be designed to prohibit directors, officers, and other insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents. Many exchanges require listed companies to adopt codes of conduct and policies that promote compliance with applicable laws, rules, and regulations, including those prohibiting insider trading.
In cases of selective disclosure of material nonpublic information related to cybersecurity, companies should ensure compliance with Regulation FD. The Commission expects that companies have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks are not made selectively, and that any Regulation FD required public disclosure is made simultaneously (in the case of an intentional disclosure) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with Regulation FD.
If you have any questions regarding the SEC’s guidance and how they could impact your disclosure requirements, please contact any member of Michael Best’s Securities & Capital Markets or Privacy & Data Security Teams.