As data security breaches and privacy protection become a greater financial concern for companies, so do they for those companies’ investors. The Securities and Exchange Commission is following suit by taking a closer look at companies’ cybersecurity issues.
In new guidance released Feb. 21, the SEC detailed its view on how public companies should disclose their cybersecurity incidents and risks in their filings. While the interpretive guidance mostly expands on the SEC’s existing expectations regarding such disclosures, it touches on new areas such as how cybersecurity intersects with insider trading.
The release builds on the SEC Division of Corporate Finance’s October 2011 cybersecurity guidance. In that document, the commission described “specific disclosure obligations that might require a discussion of cybersecurity risks and cyber incidents” under Regulation S-K, a U.S. Securities Act regulation that dictates reporting requirements for public filings. These included disclosing risk factors such as the probability the company might fall victim to certain types of data security incidents and what costs it might likely incur as a result.
The February guidance goes further by offering specific examples of information the comission encourages companies to disclose. While the February release doesn’t signal a major shift from the 2011 document, companies would do well to review the guidance, securities lawyers say.
“This release has been criticized as a rehash of old news, but that’s underestimating the release,” said Lee Terry, a securities attorney and partner at Davis Graham & Stubbs. Terry said the new guidance points out for the first time that companies’ filings should include a management discussion and analysis, or MD&A, section, that mentions ongoing costs and consequences related to cyber incidents.
“If any public companies weren’t paying much attention to cybersecurity disclosures, they are now,” said Coates Lear, a Squire Patton Boggs principal and former SEC Enforcement Division attorney. Last month’s guidance is the latest example of the commission’s “laser-focused” approach to cybersecurity issues, Lear said. “I think it’s fair to say that cybersecurity has become a top priority for the commission and personally for the new chair, Jay Clayton.”
The SEC Enforcement Division in September created a “Cyber Unit” dedicated to investigating hacks, market manipulation schemes, breaches into retail brokerage accounts and other securities-related cyber crimes.
The new guidance might be best understood in relation to recent data security breaches and their effects on investors and securities law enforcement.
“Much of this release is not necessarily new, but what is new is reactive,” Terry said. The guidance emphasizes disclosure controls and procedures as well as insider trading prevention, which seems relevant to the aftermath of last year’s Equifax hack, he added.
Four Equifax executives were suspected of insider trading when they sold shares in their company days after the catastrophic breach was discovered but before it was announced publicly. The executives claimed they had no knowledge of the breach when they dumped the shares, and an Equifax committee investigating them concluded in September that the sales didn’t constitute insider trading. But the SEC isnt necessarily buying that, Terry said.
In the guidance, the SEC said it believes that “material, nonpublic information” can include knowledge of cybersecurity risks or incidents. It also said companies should have policies that prevent trading on the basis of that information.
The SEC is also signaling its expectation that companies have disclosure controls and procedures to ensure information on data security incidents travels up from their frontlines to their boardrooms. Data security information should also be shared with the accounting and finance departments for the purpose of the public filings, though some companies lack communication between those departments and IT.
“You can imagine a situation where the people involved in preparing the filings are far removed from people who are dealing with cybersecurity issues,” Lear said.
There’s also a gray area in terms of what cybersecurity risks or incidents rise to the level where the C-Suite has an obligation to know about them for the SEC’s purpose. Many companies experience attempted hacks on a daily basis, Terry said.
“The really difficult line [to draw] becomes what’s impactful,” Terry said. “What you want to do is be able to prove you had this procedure set up … and it moved as fast as it possibly moved [to report the incident to company leadership], but you can’t have a boy crying wolf all day.”
— Doug Chartier