Commission Statement and Guidance on Public Company Cybersecurity Disclosures

On February 21, 2018, the Securities and Exchange Commission (the “Commission”) issued an interpretive release (the “release”) that reinforces and expands the guidance on reporting and disclosing cybersecurity risks and incidents that was previously issued in 2011 by the Division of Corporation Finance (the “Division”). This new release became effective on February 26, 2018.
 
In response to the increasing significance of cybersecurity incidents, the Commission issued this release, which outlines its views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies^[1]. In addition this release addresses the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
 
The Division’s 2011 guidance reminded registrants that although existing disclosure requirements do not explicitly include cybersecurity risks or cyber incidents, registrants may nonetheless be obligated to make such disclosures. The specific disclosure obligations within the Division’s 2011 guidance included:

• Risk Factors
• Management’s discussion and analysis of financial condition and results of operations (“MD&A”)
• Description of Business
• Legal Proceedings
• Financial statement disclosures
• Disclosure controls and procedures

Each of those specific disclosure obligations were reinforced within the release. Additionally, the release expanded upon the Division’s 2011 guidance by including a focus on the following new topics:

• Stressing the importance of cybersecurity policies and procedures - companies were reminded that establishing and maintaining effective disclosure controls and procedures must include considerations for cybersecurity. The Commission also reminded companies to consider the materiality of cybersecurity risks and incidents when preparing their disclosures and included the relevant obligations companies have related to periodic reports, Securities Act and Exchange Act filings, and Current Reports.
• Application of insider trading prohibitions in the cybersecurity context - cybersecurity risks and incidents may create material nonpublic information. The Commission encouraged companies to not only consider federal securities laws related to insider trading, but to also review their own insider trading policies and procedures already in place to prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents. In addition, the Commission expects companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risk and incidents are not made selectively, and that they comply with the Regulation FD disclosure requirements.
• Board risk oversight disclosures – expands to include cybersecurity risks when disclosing how the board of directors administers its risk oversight function.

Shortly after the release, Chairman Clayton issued a statement summarizing the new topics and encouraging companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”
Consistent with the Division’s 2011 guidance, the Commission’s release reinforced the notion that companies are not to provide a “roadmap” on how to compromise their systems. Instead, companies are to provide meaningful disclosures that would be material to an investor and to provide such disclosures in a timely fashion.