The Securities and Exchange Commission voted unanimously to approve guidance to encourage public companies to provide disclosures about cybersecurity incidents they encounter and the risks they face.
The guidance offers the SEC’s views about public companies’ disclosure obligations under current law involving cybersecurity risk and incidents. It also discusses the importance of cybersecurity policies and procedures, along with the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” said SEC Chairman Jay Clayton in a statement last Wednesday. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
Cybersecurity risks can pose grave threats to investors, capital markets, and the U.S., the SEC noted. “Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the U.S. economy depend on the security and reliability of information and communications technology, systems, and networks,” said the SEC. “Companies today rely on digital technology to conduct their business operations and engage with their customers, business partners and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission. As companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased.”
Cybersecurity incidents can stem from unintentional events or deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states and “hacktivists,” the SEC noted. It pointed out that hackers can use a complex set of ways to perpetrate cyberattacks, including stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks, among others.
Given the frequency, magnitude and cost of cybersecurity incidents, the SEC believes public companies should inform investors about material cybersecurity risks and incidents in a timely fashion, including companies that are subject to cybersecurity risks but haven’t yet been the target of a cyber-attack.
“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents,” said the SEC. “In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face. Additionally, directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”
The SEC said public companies should have policies and procedures in place to guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident. They should also help ensure that the company makes timely disclosure of any related material nonpublic information.
“In addition, we believe that companies are well served by considering the ramifications of directors, officers and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material,” said the SEC. “We recognize that many companies have adopted preventative measures to address the appearance of improper trading and we encourage companies to consider such preventative measures in the context of a cyber event.”