Written by Cara Peterman, Lauren Macon and Hillary Li
The Securities and Exchange Commission (SEC) issued a press release announcing its unanimous approval of a statement by SEC Chairman Jay Clayton and interpretive guidance (the “2018 Guidance”) to assist public companies in preparing disclosures about cybersecurity risks and incidents. This is the first interpretive guidance published by the full Commission on the topic of cybersecurity for public companies, and it may foreshadow increased SEC action to protect investors from the potential negative effects of increasingly common large-scale data breaches. The 2018 Guidance formalizes and expands on the SEC staff’s earlier position that cybersecurity risks and incidents may trigger disclosure obligations for public companies and addresses the SEC’s expectations for public company disclosure controls and procedures as they relate to cybersecurity.
In 2011, the SEC’s Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2 (the “2011 Guidance”), addressing the staff’s views that companies may be required to disclose cybersecurity risks and incidents as part of their existing disclosure obligations. Since 2011, the SEC has issued intermittent informal statements relating to cybersecurity, including in connection with its Cybersecurity Roundtable in 2014 and Chairman Clayton’s September 2017 Statement on Cybersecurity, which disclosed an intrusion into the SEC’s own data systems. Given the SEC’s public focus on cybersecurity issues, it has long been expected that the SEC would issue more formal guidance.
In many respects, the 2018 Guidance varies little from the 2011 Guidance and addresses disclosure issues that most public companies have already integrated into their disclosure processes. Among other things, the 2018 Guidance reinforces that companies should consider the materiality of cybersecurity risks and incidents when preparing disclosures.
The 2018 Guidance does, however, provide a more comprehensive and detailed view of the SEC’s expectations for public company disclosures. Notably, the 2018 Guidance repeatedly emphasizes that required disclosures should be made “timely” and on an ongoing basis, and states that the existence of an ongoing investigation into a cybersecurity incident does not—standing alone—provide a basis for avoiding timely disclosure of a material incident. The majority of the new content in the 2018 Guidance otherwise pertains to disclosure controls and procedures generally and ensuring that such processes effectively address cybersecurity risks and incidents. Finally, the 2018 Guidance encourages companies to review their insider trading policies as they relate to non-public cybersecurity risks and incidents and to consider prohibiting trades between discovery of a potential breach and disclosure of that breach.
The 2018 Guidance is effective upon publication in the Federal Register, which typically occurs within 4–7 days of release.