Last week the U.S. Securities and Exchange Commission (SEC) published new cybersecurity guidance for public companies. The guidance reinforces and expands upon a 2011 SEC publication, and highlights two additional topics: (1) the importance of robust cybersecurity disclosure policies and procedures and (2) the application of insider trading prohibitions in the cybersecurity context.
Disclosure Controls and Procedures
The guidance stresses the need for companies to “adopt comprehensive policies and procedures related to cybersecurity” in order to satisfy pre-existing reporting obligations. Such policies “should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure.” In addition, companies should adopt procedures that enable them to pinpoint cybersecurity risks and identify incidents, and “provide for open communications between technical experts and disclosure advisors.”
According to the SEC, there must be sufficient controls and procedures in place to ensure that relevant information about cybersecurity incidents “is processed and reported to the appropriate personnel, including up the corporate ladder.” This means that companies should have a clear escalation path from employees/IT personnel to the C-suite and up to the boardroom. While the guidance acknowledges that public disclosures on cybersecurity incidents may necessarily be limited at times, companies should adopt procedures to update disclosures as they learn additional information. Significantly, “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
As the guidance notes, information about a company’s cybersecurity risks and incidents may be material nonpublic information. It is illegal to trade a security “on the basis of material nonpublic information about that security or issuer, in breach of a duty of trust or confidence that is owed directly, indirectly, or derivatively, to the issuer of that security or the shareholders of that issuer, or to any other person who is the source of the material nonpublic information.” “The materiality of cybersecurity risks or incidents
depends upon their nature, extent, and potential magnitude” and on the “range of harm that such incidents could cause” including possible litigation or regulatory action.
To prevent illegal insider trading companies should adopt policies and procedures to “guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident.” This may include implementing restrictions on insider trading during the investigation of a cybersecurity incident or of a discovered cybsersecurity risk/vulnerability.
All public companies should take a close look at their policies and procedures on disclosures and insider trading to ensure that they specifically address cybersecurity incidents and cybersecurity risks.