In light of the increasing significance of cybersecurity incidents, and their potential impact on a company's operations, on February 21, the Securities and Exchange Commission (SEC) issued guidance to public reporting companies regarding disclosure obligations related to cybersecurity risks. This new guidance applies to disclosures in registration statements and periodic and current reports filed under the Securities Act of 1933 and the Securities Exchange Act of 1934, and supplements the Division of Corporation Finance's October 2011 report related to cybersecurity risks and incidents.
The 2018 guidance, which is posted on our CyberAdviser blog, focuses on two aspects of securities laws—an overview of rules requiring disclosure of cybersecurity issues and a reminder to companies and their directors, officers and other corporate insiders of applicable insider trading and selective disclosure prohibitions.
Disclosure Obligations
Any material cybersecurity risks and incidents must be disclosed in the appropriate registration statement, periodic report or current report. When determining materiality of an incident or risk, companies should consider: the importance of the compromised information; the impact on the company's operations; the range of harm caused by the exposure, including reputational damage, financial performance, effect on customer relationships; and possibility of litigation or regulatory investigations or actions. Once a company becomes aware of a cybersecurity risk or incident, it should provide disclosure in a timely manner. Additionally, during the course of a cybersecurity investigation, if it becomes known that any prior disclosure was or has become materially inaccurate, such disclosure must be corrected and updated.
The 2018 guidance focuses on the following disclosure items:
-
Risk Factors, such as:
-
prior cybersecurity incidents, including severity and frequency;
-
probability of occurrence and potential magnitude of cybersecurity incidents;
-
adequacy of preventative actions taken to reduce cybersecurity risks and associated costs, including limits of the company's ability to mitigate or prevent certain threats;
-
aspects of the company's business and operations that give rise to material cybersecurity risks and potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service-provider risks;
-
costs associated with maintaining cybersecurity protections, including insurance coverage related to cybersecurity incidents or payments to service providers;
-
potential for reputational harm;
-
existing or pending laws and regulations that may affect any cybersecurity requirements the company is subject to and any associated costs; and
-
litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
-
-
MD&A: A company’s analysis should take into account any costs of ongoing cybersecurity efforts, any costs and other consequences of cybersecurity incidents, and any risks of potential cybersecurity incidents. The impact of any cybersecurity incidents must be considered for each reportable segment.
-
Business Description: Companies should provide appropriate disclosure where cybersecurity incidents or risks will materially affect products, services, or customer or supplier relationships.
-
Legal Proceedings: Companies should disclose any material legal proceedings related to cybersecurity issues.
-
Financial Statements: A company should disclose the range and magnitude of a cybersecurity incident in its financial statements on a timely basis, including any: expenses related to investigation, breach notification, remediation, and litigation, including costs of legal and other professional services; loss of revenue, providing customers with incentives, or a loss of customer relationship asset value; claims related to warranty, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and diminished future cash flows, impairment of intellectual, intangible or other assets, recognition of liabilities, or increased financial costs.
-
Board Oversight of Risk: The guidance focuses on the requirement to disclose the extent of the Board of Directors' oversight role in the company's internal and external risk assessment and management.
In addition, the 2018 guidance recommends assessment of the company's disclosure controls and procedures as they relate to cybersecurity and the need to continually assess any changes or updates to such procedures.
Insider Trading and Selective Disclosure Prohibitions
The 2018 guidance reminds companies about the prohibition on insider trading by directors, officers and other corporate insiders while in possession of material non-public information related to cybersecurity risks and incidents. As part of a response to a cybersecurity incident, it may be prudent for the company to take steps to ensure that insiders are not trading based on knowledge of a cybersecurity incident, and that compliance personnel responsible for administering a company's stock purchase/sale program is fully aware of the cybersecurity incident and its potential impact on trades by company insiders. In addition, companies should always be mindful of the obligation not to selectively disclose cybersecurity risks and incidents to Regulation FD enumerated persons before such information is publicly disclosed.
Ballard Spahr's Securities Group advises private and public companies, underwriters, selling stockholders, and officers and directors, as well as private equity funds, venture capital firms, and institutional investors in compliance matters, capital-raising activities, and other transactions.
Our Securities Enforcement and Corporate Governance Litigation Group advises companies and their officers and directors on every type of securities and corporate governance claim and represents clients in regulatory proceedings and litigation involving the SEC, state attorneys general, and state securities regulators.
Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative and litigation services across industry sectors. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance and litigation risk.
For more information on this topic, or if you have questions, please contact Gerald J. Guarcini at (215) 864-8625; Mary J. Mullany at (215) 864-8631; or David L. Axelrod at (215) 864-8639.