Last year’s SEC statement isn’t legally binding, but here’s why public companies must comply
As news of high-profile data breaches continuously grab headlines, boardrooms nationwide are scrambling to understand the implications of the Securities and Exchange Commission’s (SEC) robust cybersecurity guidance.
Issued on Feb. 21, 2018, the long-awaited guidance adds specific expectations for disclosure controls and incident response procedures for companies listed on U.S. stock exchanges. It marks a notable change from the previous SEC guideline issued in 2011 by requiring companies to publicize cyber-attacks – regardless of whether or not the organization suffered any financial or operational harm. Previously, the SEC only required companies to disclose attacks that led to economic losses or increased the risk of investing in the company.
The new guidance builds on the SEC’s 2011 statement on cybersecurity but carries more weight because it bears the imprimatur of the Commission itself instead of its staff. It calls on companies to continuously monitor themselves for security risks and to notify shareholders of potential attack vectors – and the potential for cybercriminals to exploit them.
It also adds language designed to crack down on insider trading of stock due to knowledge of a cyber-attack that hasn’t been publicly disclosed. Accusations of stock dumping followed the 2017 Equifax breach, although an internal investigation later cleared the three executives involved of wrongdoing.
To read the new SEC guidance in full, click here.
So, what does this mean for your company? The new SEC guidance is only an interpretation – it’s not legally binding. Rather, it’s a statement of how the SEC interprets existing law that’s meant to serve as a guideline for company actions. This guidance seems largely aimed at clearing up confusion surrounding the SEC’s addition of cybersecurity to its disclosure rules.
Private companies don’t need to comply, although it’s always wise to follow best cybersecurity practices. But public companies should pay heed: this SEC statement was handed down by the Commissioners themselves and could easily become the legal reasoning behind a case if the government accuses you of a violation.
5 tips for compliance
Here are five steps companies can take to comply with the most recent SEC guidelines:
- Clearly state how your board will help manage cybersecurity risk. The SEC wants to see clear evidence in your company filings that cybersecurity risk is a focus for your board. Board members need to become educated about security and technology and play an active role in managing cybersecurity risks throughout their organization.
To underscore your commitment, consider adding factors that relate to how the board oversees cybersecurity risk in proxy statement disclosures, such as relevant lines of reporting from CIOs or CISOs. Report losses and expenses related to cybersecurity on financial statements. If the board decides to delegate cybersecurity risk management to board committees such as audit or risk, it’s important to update the committee’s charter to reflect its new responsibilities.
- Add disclosure review to your incident response procedures. The SEC requires companies to “establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity.” Put simply, that means response protocols should include steps for quickly pushing information up the chain so senior management can make decisions about whether disclosure is required and if any other actions must be taken.
Take time to review incident response policies to ensure that they have robust disclosure controls. That includes a process for determining the severity of a cybersecurity incident, escalating matters to senior management, and evaluating whether SEC reporting is required.
Other important elements of an incident response plan include protocols for submitting internal reports of cybersecurity incidents, implementing external communications plans, and assessing the need to impose trading restrictions on staff so there is no appearance of impropriety.
- Disclose incidents promptly. The new SEC guidance reinforces the need to promptly disclose any cybersecurity incidents relevant to investors. It states: “If cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure.”
But what exactly does “appropriate disclosure” mean? The SEC doesn’t expect you to disclose specific details of your cybersecurity infrastructure that could serve as a road map for hackers, or reveal information important to a law enforcement investigation.
But while it accepts that a certain amount of time may be needed to fully understand the scale and implication of a breach, it warns against using a lengthy investigation to delay disclosure. Initially, you need to at least announce that something happened and you’re investigating it – and then update your disclosures as new and material information about the incident is revealed.
- Don’t issue cookie-cutter disclosures. The new guidelines reinforce the SEC’s traditional stance that disclosures can’t come from generic templates. Instead, it requires companies to file reports on cybersecurity risks and incidents that are “contextually relevant,” meaning they don’t omit any facts that a reasonable investor would consider important information for making investment decisions.
These reports can be periodic or incident-specific, and they can’t be misleading. Every potential detail of an incident should be included; that can even encompass breaches that happened at suppliers, customers, competitors, or any other source that might enhance the risk of an incident happening at your company.
To avoid being accused of issuing a “generic” disclosure, companies should discuss the business, reputational, and legal risks they face from cybersecurity threats. Important points to address may include the types of data and systems you use and the regulatory environment of your industry. Companies may also need to disclose the costs and consequences of previous cybersecurity incidents to put a current event into context.
- Take a hard stance against the appearance of insider trading. Insiders with early knowledge of a major cybersecurity incident may feel tempted to dump their stock before news of the breach causes its value to plummet. But if they’re caught, the penalties of insider trading are harsh for the employee and the business.
The SEC guidelines recommend that companies implement strict policies and procedures that clearly instruct security personnel and management about the legal dangers of insider trading. That may include updating insider trading policies and imposing trade restrictions when necessary, such as implementing a trading blackout in the aftermath of an incident. Of course, it’s also worth noting that the faster incidents are disclosed, the less risk there is of any appearance of impropriety.
Given the SEC’s frequent public remarks on cybersecurity and its decision to expand its guidelines, it’s safe to assume that the organization’s cybersecurity enforcement is ramping up. Overall, the takeaway from the new guidelines is this: as cyber threats explode, companies need to review their cybersecurity disclosures and consider how policies and procedures can be improved so senior management – and investors – receive proper information about incidents and risks.
This enables timely decisions about required disclosures and steps to mitigate the threat of insider trading. A qualified cybersecurity provider can help your company meet the mandates of the SEC’s new guidelines while implementing best cybersecurity practices that keep the rising threat of cyber-attacks at bay.