SEC Cyber Briefing: Regulatory Expectations for 2019
Cybersecurity has played an important role in the U.S. Securities and Exchange Commission’s regulatory agenda during the past year.
And it’s likely to become even more important in 2019.
During 2018, the SEC has made moves on three fronts: issuing long-awaited guidance concerning cybersecurity disclosure issues for public companies; commencing enforcement actions against several companies for cyber-related ball drops; and finally, issuing an investigatory report about internal control failures relating to cyber or “business compromise” email fraud, which resulted in $100 million in losses.
In this three-part series, we’ll look at each of these developments and the way they will likely influence the SEC’s regulatory and enforcement agenda next year.
Here is our first installment:
SEC’s 2018 Guidance
In late February 2018, the Commission released updated interpretive guidance urging companies to be more transparent in disclosing cybersecurity risks in their public filings; to disclose material data security incidents in a “timely fashion;” and to implement safeguards such as trading bans to prevent insiders from selling securities after a breach is detected but before it is publicly disclosed. The guidance also underscores the responsibilities of senior management and boards in cyber risk oversight.
The SEC’s updated guidance reiterates and reinforces the Commission’s Staff guidance issued seven years ago by the Division of Corporate Finance, which called for companies to assess what disclosures might be required about cybersecurity risks and incidents. But the new guidance – issued by the Commission itself – underscores the “grave threats to investors” and our financial systems posed by cybercrime and the uptick in the sophistication and severity of cyber-attacks on public companies. It also encourages focused and tailored cyber disclosures based on an assessment of a company’s risk profile rather than general boilerplate disclosures.
The updated guidance focuses on six key areas:
Pre-Incident Public Disclosure
Although the updated guidance does not require detailed disclosures about a company’s IT systems or vulnerabilities – to avoid giving a roadmap for mischief – but advises a holistic assessment based on the overall materiality of cyber risk to an organization and its operations. In particular, the Commission advises companies to consider among the following in preparing cyber risk disclosures:
▪ Prior cybersecurity incidents including their severity and frequency
▪ Probability of incident occurrence and potential magnitude of an incident
▪ Limitations on the company’s ability to prevent or mitigate cyber risk
▪ Particular industry specific or third-party vendor/supplier risk
▪ Potential for reputational harm
▪ Legal risks and costs of enforcement actions by other regulatory bodies (specifically referencing New York’s new cybersecurity regulations for financial institutions and insurance companies)
When deemed material, the Commission advises that proxy statements contain disclosures about a board’s role and engagement in cyber risk oversight. The Commission also noted that cyber risk disclosures might, depending on the circumstances, be reflected not only in risk factor disclosures but in the company’s MD&A, description of its business, disclosure of legal proceedings, and financial reporting “to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements….”
Data Security Incident Disclosure
One of the most challenging and practical questions for any organization is the public disclosure of a data security incident. Although the guidance makes clear that timely disclosure of material cybersecurity incidents is required, it concedes that “some material facts may not be available at the time of the initial disclosure.” Cooperation with law enforcement and incident investigation – which the Commission acknowledges is “often … lengthy” – will affect the scope of any disclosure. That said, the guidance warned that cooperation with law enforcement or ongoing investigations does not, “on its own,” provide a basis for not disclosing a material cybersecurity incident.
Controls and Procedures
As has been the trend with state-level data security regulations, the guidance also focuses on the role of senior corporate leaders and a company’s board of directors. To that end, the guidance encourages the following steps:
▪ Assess existing disclosure controls and procedures to ensure that cyber risk and incident information “is processed and reported” to critical stakeholders “including up the corporate ladder” so that senior management is able to make informed disclosure decisions and compliance certifications, together with controls to assess compliance with such controls and procedures on a regular basis
▪ If such controls are lacking, develop and implement a process so that important cyber risk and incident information is collected and elevated to senior levels for appropriate decision-making and oversight
Insider Trading and Regulation FD
Finally, the guidance reminds companies of the risk posed by insiders who trade securities between the time a breach is discovered and when it is publicly disclosed. The Commission “encourages” public companies to put in place policies and procedures to prevent trading on material non-public information relating to cybersecurity risks and incidents including trading restrictions to avoid even the “appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
The Commission encourages “companies to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.”
The guidance also warns against disclosing cybersecurity incident information selectively and reminds companies to disclose incident information on Form 8-K to manage the risk of selective disclosure.
▪ Revisit and, if necessary, refresh data security related public disclosures to ensure compliance with the new guidance
▪ Consider adequacy of internal controls and procedures for identifying cybersecurity risks and incidents as part of the design and effectiveness of a company’s disclosure controls and procedures
▪ Update existing enterprise-wide data security policies, plans, and procedures
▪ Ensure that controls are in place to escalate cyber risk and incident engagement and oversight by senior corporate leaders and the board
▪ Review data security incident disclosure process to ensure key stakeholders are notified of significant data security incidents and establish a decision-making process and protocol to timely disclose material cybersecurity incidents
▪ Revise codes of conduct and internal securities trading policies to ensure that, as appropriate, securities trading restrictions are put in place upon the detection of a material cybersecurity incident
In our next installment, we’ll take a look at several key enforcement actions taken by the SEC during the past year. Stay tuned.