On Wednesday, February 21, the U.S Securities and Exchange Commission (SEC) published interpretive guidance for public companies disclosing cybersecurity risks and incidents. The guidance provides insight into the regulator’s current thinking on disclosure obligations. Protiviti has prepared a Flash Report, summarizing the guidance and its likely impacts.
Cybersecurity is among the most critical risks that organizations need to address today. Expanding on guidance issued in 2011, the SEC lays out the threat landscape and provides detailed examples of challenges, ranging from unintentional events to deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states and so-called hacktivists. In addition to reinforcing previous guidance, the new release focuses on the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents and reiterates insider trading prohibitions against selective disclosures of material nonpublic information about cybersecurity risks or incidents.
Reports and Disclosures — The SEC stresses that companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements (Form S-1) as well as periodic (10-Q, 10-K) and current (8-K) reports.
Cybersecurity Risk Factors — Companies are required to disclose the most significant risk factors that may make investments in their securities speculative or risky. Under these requirements, companies should disclose the risks associated with cybersecurity and/or cybersecurity incidents if they would be considered relevant to such investments.
Financial Statement Disclosures — Cybersecurity incidents and the risks that result therefrom may affect a company’s financial statements. The SEC expects a company’s financial reporting and control systems to be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident is incorporated into its financial statements on a timely basis.
Board Risk Oversight — An issuer is required to disclose the extent of its board of directors’ role in the risk oversight of the company, including cybersecurity risks to the extent such risks are material to the company. For example, such disclosures might consider how the board administers its oversight function, including oversight of cybersecurity risks, and the effect this has on the board’s leadership structure.
Disclosure Controls and Procedures — Cybersecurity risk management policies and procedures are key elements of enterprisewide risk management. Thus companies should adopt comprehensive policies and procedures related to cybersecurity and assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosures.
Regulation FD and Selective Disclosure — The SEC reminds companies that they may have disclosure obligations under Regulation FD in connection with cybersecurity matters. Companies and persons acting on their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to Regulation FD enumerated persons before disclosing that same information to the public.
A Call to Action
This guidance is a wake-up call for issuers to evaluate the adequacy of their disclosure controls and procedures and a warning for companies to ensure they watch for any illegal sales of securities by their executives motivated by yet-to-be-disclosed cybersecurity issues. We recommend management consider the following:
- Conduct a periodic, robust cybersecurity risk assessment to proactively identify new and emerging cyber threats.
- Consider whether there is a sufficient basis for disclosures asserting the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs.
- Consider whether there is a sufficient basis for disclosures asserting the adequacy of cyber incident response processes.
- Evaluate the effectiveness of the disclosure controls and procedures in place to provide investors the information they need to understand the issuer’s cyber risks and incidents.
- Consider engaging the appropriate cybersecurity representatives on the disclosure committee.
These recommendations apply to public companies and are not intended to be exhaustive. Issuers may want to consult with legal counsel in evaluating the adequacy of their disclosure controls and procedures as they relate to cybersecurity risks and incidents.