Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.
In a published statement, Chair Jay Clayton expressed his view that the guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He encouraged “public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” He also indicated that Corp Fin will be monitoring cybersecurity disclosures as part of their selective filing reviews. The SEC will also consider feedback about whether any further guidance or rules are needed.
Some of that feedback is already here—from two of the Commissioners. In a published statement, new Commissioner Robert Jackson expressed his reluctant support for the guidance, which, he said “essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.” That includes the White House’s own Council of Economic Advisers, which Jackson quoted at length: Companies may tend to underinvest in cybersecurity, the Council’s report said, but regulators can provide investment incentives through, for example mandatory disclosure requirements. However, “the effectiveness of the SEC’s 2011 Guidance is frequently questioned. There are concerns that companies underreport events due to alternative interpretations of the definition of ‘materiality’….. There are also concerns that the disclosure requirements are too general and do not provide clear instructions on how much information to disclose, and that they therefore ‘fail to resolve the information asymmetry at which the disclosure laws are aimed.’”
Commissioner Kara Stein likewise “supported the Commission’s guidance, but not without reservation.” In her statement, she indicated that she was “disappointed with the Commission’s limited action.” While the guidance includes “valuable reminders,” she said, the problem
“is that many of these reminders were offered by the staff back in 2011. If our staff has already provided guidance regarding cyber-related disclosures, the question, then, is what we, as the Commission, should be doing to add value given seven additional years of insight and experience…..The more significant question is whether this rebranded guidance will actually help companies provide investors with comprehensive, particularized, and meaningful disclosure about cybersecurity risks and incidents. I fear it will not…. That is why, as I have remarked before, it is imperative that the Commission do more. As we have heard from a variety of commenters since the 2011 staff guidance, guidance, alone, is plainly not enough. This makes it all the more confusing that the Commission more or less reissued that very guidance. Simply put, seven years since the staff guidance was released, despite dramatic increases in cyberattacks and their related costs, there have been almost imperceptible changes in companies’ disclosures. This to me strongly suggests that guidance alone is inadequate.”
Disclosure Obligations Generally; Materiality
The guidance highlights the pervasiveness of, and increasing reliance by companies on, digital technology to conduct their operations and engage with customers and others. In that light, the threat of cybersecurity incidents, whether from unintentional events or deliberate attacks, “presents ongoing risks and threats to our capital markets and to companies operating in all industries.” These events or attacks may include “the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks, and distributed denial-of-service attacks, among other means. The objectives of cyber-attacks vary widely and may include the theft or destruction of financial assets, intellectual property, or other sensitive information belonging to companies, their customers, or their business partners.”
In addition to significant financial costs, the guidance identifies these other potential consequences of a breach:
- “remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack [including ransom];
- increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;
- increased insurance premiums;
- reputational damage that adversely affects customer or investor confidence; and
- damage to the company’s competitiveness, stock price, and long-term shareholder value.”
As in the 2011 guidance, the new guidance explains that, although there are no disclosure requirements that specifically refer to cybersecurity risks and incidents, the obligation to disclose material cybersecurity risks and incidents would still arise, depending on a company’s particular circumstances, in the context of many required disclosure documents, including registration statements and periodic and current reports. For example, the SEC encourages companies to use current reports on Form 8-K to promptly report the costs and other consequences of material cybersecurity incidents. And, under Rule 10b-5 and similar provisions, companies should consider whether their cybersecurity disclosures provide all material facts required to be stated therein or necessary to make the statements therein not misleading. Exchange listing standards also impose disclosure obligations.
In determining whether disclosure regarding cybersecurity risks and incidents is necessary, “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.”
But how is “materiality” assessed in the context of cybersecurity? The SEC notes that the Basic v. Levinson probability/magnitude test is still a relevant part of the analysis. The SEC also advises that “materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.” In that regard, the SEC notes that compromised information “might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.” Materiality “also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” As always, the SEC cautions companies to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
Although companies are expected to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences,” the SEC makes clear that companies are not expected to provide detailed roadmaps or specific technical information about potential system vulnerabilities that would compromise a company’s security protections.
The SEC recognizes that it may take time to investigate and understand the implications of an incident; however, “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” (Recall that the SEC felt obligated to make disclosure about its own cyberbreach, even though the investigation was ongoing.) In addition, the SEC advises companies to consider revisiting prior disclosures as they may have a “duty to update” (where disclosure becomes false as a result of subsequent developments) or a “duty to correct” (where prior disclosures are determined to have been untrue when made, including, the SEC observes, “if the company subsequently discovers contradictory information that existed at the time of the initial disclosure.”)
The federal securities laws do not impose on public companies a general affirmative duty to continuously disclose material information. However, that duty will arise as a result of a number of events or circumstances, such as any of the following:
- to satisfy a company’s SEC reporting requirements, such as under the Form 8-K triggering events;
- to satisfy obligations under a listing agreement with an exchange;
- when the company or its insiders are trading in the company’s securities;
- when the company learns that a prior statement it made was materially untrue or misleading at the time it was made;
- when the company is otherwise making public disclosure and the omission of material information could be misleading; or
- when rumors are in the marketplace that are attributable to the company (although the company is generally not required to respond to conjecture about the company except pursuant to stock exchange guidelines).
Cybersecurity Disclosure Obligations in Specific Contexts
The guidance then discusses how issues related to cybersecurity and cyber incidents are addressed in the context of specific rule requirements.
Companies should disclose the risks related to cybersecurity and cyber incidents if those risks are among the company’s most significant. In determining whether risk factor disclosure is required, the SEC advises that companies consider the following factors: