“Across America companies are desperately seeking direction as they grapple to identify and follow best practices for cyberrisk management. … Yes, new rules and regulations can help push companies toward cyberresiliency. Yes, improved technological defenses will help mitigate the cyberthreat. But these are tactical responses to a strategic problem. We need to think bigger. Cybercrime is an enterprise-level risk that will require an interdisciplinary approach, significant investments of time and talent by senior leadership and board-level attention. In short: the cyberthreat is a corporate governance issue.” —Commissioner Robert J. Jackson Jr., “Corporate Governance: On the Front Lines of America’s Cyber War,” March 15, 2018, speech at Tulane University Law School, 30th Annual Corporate Law Institute
Over the years, companies’ approach to cybersecurity has shifted from considering it as a purely technological issue or an issue that can be handled through a combination of technological and regulatory measures, to the current trend of a comprehensive approach to cybersecurity as a governance issue. This trend is clear in the new Interpretive Guidance on Public Company Cybersecurity Disclosures issued by the Securities and Exchange Commission (SEC) on Feb. 21.
Although the SEC’s Division of Corporation Finance previously addressed cybersecurity issues in its 2011 Disclosure Guidance: Topic No. 2, that guidance focused mostly on areas of public company disclosures that should include information about cybersecurity risks and incidents. The SEC’s 2018 interpretive guidance places greater emphasis on cybersecurity risk management policies and procedures and considers them to be “key elements of enterprisewide risk management.”
In light of the new SEC guidance, companies should:
- Re-evaluate the process that the company’s board of directors uses to discharge its responsibility for cybersecurity risk oversight;
- Review the company’s policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures; and
- Consider whether the company’s cybersecurity risk factor and other disclosures need to be refreshed.
Companies should review their cybersecurity risk management program and evaluate how the board of directors “engages with management on cybersecurity issues” to discharge its responsibility for cybersecurity risk oversight. The 2018 guidance states that, to the extent cybersecurity risks are material to a company’s business, the proxy statement discussion of the board’s role in the risk oversight of the company should include “the nature of the board’s role in overseeing the management of that risk.” Companies should also review their disclosures related to board risk oversight to determine whether such disclosures should be expanded to address the board’s responsibility for cybersecurity risk oversight.
- Effective Disclosure Controls and Procedures.
Companies should evaluate whether their controls and procedures include the protocols that will enable them to: “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisers, and make timely disclosures regarding such risks and incidents.” The SEC’s new guidance made it clear that CEO’s and CFO’s certifications regarding the design and effectiveness of the company’s disclosure controls and procedures and disclosures regarding the companies’ conclusions on the effectiveness of their disclosure controls and procedures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”
- Application of Insider Trading Prohibition to Cybersecurity Risks and Incidents.
Companies should review their insider trading policies to make sure that the company has appropriate policies and procedures in place to prevent directors, officers, and other corporate insiders from trading in the company’s securities on the basis of material nonpublic information about its cybersecurity risks and incidents, prior to public disclosure of such risks or incidents. The SEC 2011 guidance suggested that “while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”
- Selective Disclosures about Cybersecurity Risks and Incidents.
Companies should review their Regulation FD policies and procedures to make sure that that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively in violation of Regulation FD. The SEC guidance states that companies and persons acting or their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents in violation of Regulation FD before disclosing that same information to the public.
- Prior Cybersecurity Disclosures and Materiality Determinations.
Companies should consider whether they need to “revisit or refresh” previous cybersecurity disclosures. The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors. The SEC clarified that the materiality of cybersecurity risks or incidents generally depends upon: the nature, extent, and potential magnitude of cybersecurity risks or incidents (for example, whether compromised information includes personally identifiable information, trade secrets or other confidential business information); as well as the range of harm that such cybersecurity incidents could cause (for example, harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities).
Although the SEC recognizes that a company may need time to “discern the implications of a cybersecurity incident,” and that ongoing internal and law enforcement investigation of a cybersecurity incident may be lengthy and may affect the scope of disclosure regarding the incident, the SEC believes that an ongoing internal or external investigation “would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” However, the SEC stated in the 2018 guidance that it does not expect companies to publicly disclose “specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”
Yelena Barychev is a partner at Blank Rome. She advises companies and nonprofit institutions on M&A and securities law issues, including corporate governance, risk management, and cybersecurity matters. Yelena writes and speaks on corporate governance and cybersecurity issues.