SEC Cybersecurity Disclosure Guidance

Nicholas J Price
Companies have expressed concerns over the lack of clarity surrounding cybersecurity disclosures in the event of a data breach. In response, the Securities and Exchange Commission (SEC) offered companies some official guidance on cybersecurity disclosures in February 2018.

In their release, the SEC acknowledges that cyber incidences pose a great threat to investors, capital markets and our country. In addition, the SEC publicly recognizes that our economy relies on the security and reliability of communication technology. Cybercrime is increasing and digital interconnectivity presents ongoing risks and threats to every industry. To sum things up fairly, the SEC equates the importance of secure data management and technology to business to the importance of electricity to the general public.

The Prevalence and Severity of Cyberattacks

The SEC admits that companies face a continual threat over increasingly sophisticated cyberattacks. Criminals are using tough tactics like stealing access credentials and infecting systems with malware, ransomware and phishing. Companies must also protect themselves against structured query language injection attacks and distributed denial-of-service attacks.

Attacks may be unintentional or deliberate and may include theft or destruction of financial assets, intellectual property and other sensitive information that belongs to companies, customers and business partners. The SEC also recognizes that companies that operate in industries that are responsible for critical infrastructure are especially at risk.

Costs and Negative Consequences of a Cyberattack

Companies that become victims of cyberattacks may incur costs and negative consequences on many fronts, including:

  • Remediation costs
  • Liability for stolen assets or information
  • Repairs of system damage
  • Incentives to repair reputational damage
  • Increased protection costs
  • Litigation, legal and regulatory costs
  • Increased insurance costs
  • Organizational changes
  • Hiring experts or additional personnel
  • Training employees
  • Lost revenue resulting from unauthorized use of proprietary information
  • Damage to stock prices, competition and long-term shareholder value

Public Companies Must Notify Investors About Material Cybersecurity Risk

Citing the frequency, magnitude and cost of cybersecurity incidents, the SEC believes that companies should take all actions necessary to inform investors about material cybersecurity incidents in a timely manner. Companies should perform due diligence in assessing the company, its business, the financial condition, results of operations and protocols to determine the materiality of the risks. Also, the Commission recommends that the company's directors, officers and others who are responsible for developing and overseeing the controls and procedures be notified about the cybersecurity risks and incidents that the company has faced or will likely face.

Guidance About Trading While in Possession of Nonpublic Information

The SEC cybersecurity disclosure guidance is clear that directors, officers and other corporate insiders must not trade a public company's securities while they're in possession of nonpublic information. This includes knowledge of a cybersecurity incident. Public companies should have policies and procedures in place to protect against trading under these circumstances and to make timely disclosures to investors. The SEC urges companies to consider preventative measures against improper trading in the context of cyber events as well as other situations where they have already taken measures to avoid the appearance of improper trading.

In light of the frequency and impact of cybersecurity incidents, the SEC recommends that companies establish policies and procedures as they pertain to cybersecurity matters and ensure that they remain in compliance with all documents that require disclosures about cybersecurity issues as part of the SEC cybersecurity disclosure guidance.

The SEC clarifies that it's not their intent for companies to make disclosures in such a way as to compromise its cybersecurity efforts in their attempts to notify investors and the SEC of cybersecurity risks and incidents. They will consider that some material facts may not be available at the time of the initial disclosure and that disclosures could be affected by the need to cooperate with law enforcement. Companies also have an obligation to correct prior disclosures that proved to be inaccurate.

The SEC expects companies to provide disclosures that are customized to their cybersecurity risks and incidents and that don't use boilerplate language or static requirements, so that information provided to investors is meaningful. In addition to being mindful about required disclosures on SEC forms, boards must disclose their role in oversight of the regulations regarding cybersecurity.

Guidance on Avoiding Issues Related to Insider Trading

Companies, board directors, leaders, officers and other corporate insiders should be keenly aware of the laws related to insider trading as they pertain to information about cybersecurity risks and incidents including vulnerabilities and breaches. It is illegal to trade securities 'on the basis of material nonpublic information about that security or issuer, in breach of a duty of trust or confidence that is owed directly, indirectly, or derivatively, to the issuer of that security or the shareholders of that issuer, or to any other person who is the source of the material nonpublic information.' The SEC cybersecurity disclosure guidance notes that all insider trading laws and regulations apply to cybersecurity risks and incidents.

In addition to being illegal, insider trading is an ethical matter. The SEC advises companies to factor in how their insider trading policies prevent trading based on material nonpublic information related to cybersecurity risks and incidents. Well-designed policies and procedures will prevent trading on the basis of all types of material non-public information.

During the course of investigations on cybersecurity incidents, the SEC recommends that companies should determine whether it's pertinent to implement restrictions on insider trading in their securities. As with any other type of incident related to insider trading, companies should do all they can to avoid the appearance of improper trading during the time after an incident and before they disclose it to the public.

SEC cybersecurity disclosure guidance is provided as a help for public companies in these volatile times. Board discussions about cybersecurity incidents, disclosures and how to handle cyberthreats and incidents are sensitive matters that could drastically affect the company's profitability and reputation. Cybersecurity is a modern board governance issue that calls for a modern governance approach. Diligent Boards and the suite of digital tools that comprise Governance Cloud are the modern solutions for companies as they address cybersecurity and cyber risk using a highly secure digital platform. Diligent is an industry leader and it provides the perfect solution for secure communications on cybersecurity and all other governance topics.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.