1 / 16

Understanding the SEC’s Guidance on Cybersecurity Disclosures and Compliance

Understanding the SEC’s Guidance on Cybersecurity Disclosures and Compliance. By: Marty Dunn, Senior of Counsel, Morrison & Foerster Suzanne Barr, Associate General Counsel, Fannie Mae Emily Beers, Associate, Morrison & Foerster. Date: May 24, 2018 . Overview.

sangw
Download Presentation

Understanding the SEC’s Guidance on Cybersecurity Disclosures and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Understanding the SEC’s Guidance on Cybersecurity Disclosures and Compliance By: Marty Dunn, Senior of Counsel, Morrison & Foerster Suzanne Barr, Associate General Counsel, Fannie Mae Emily Beers, Associate, Morrison & Foerster Date:May 24, 2018

  2. Overview • The Securities and Exchange Commission (the “SEC”) issued guidance on February 21, 2018 regarding cybersecurity disclosures and related matters. • The guidance was an update to SEC Staff guidance issued in October 2011. • Although the SEC guidance largely tracked the October 2011 Staff guidance, it did introduce a few additional elements for consideration. • The SEC Enforcement Division also has brought two cases in the cybersecurity area, one related to insider trading and another related to cybersecurity disclosure.

  3. 2011 Staff Guidance • In October 2011, the SEC’s Division of Corporation Finance issued disclosure guidance to assist publicly-traded companies “in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances” • CF Disclosure Guidance Topic No. 2 reviews the applicability of existing SEC disclosure requirements to today’s cybersecurity concerns, noting that: • businesses increasingly focus or rely on internet communications and remote data storage; • risks and potential costs associated with cyber attacks and inadequate cyber security are increasing; and • as with other operational and financial risks and events, companies should on an ongoing basis review the adequacy of disclosure relating to cybersecurity risks and other cyber incidents.

  4. 2011 Staff Guidance (cont’d) • The Staff highlighted a number of critical considerations, including: • potential costs and other negative consequences, such as increased protection costs (e.g., additional personnel, training, third party consultants), remediation costs, liability for stolen assets or information, the repair of damaged systems and incentives for customers to maintain business relationship after cyber attack; • lost revenues arising from the unauthorized use of proprietary information, and the failure to retain or attract customers; • litigation; and • reputational damage. • Risk Factors: consider the probability that cyber incidents will occur in the future, and the potential costs and other consequences • Issuers must evaluate prior cyber incidents, including the severity and frequency of such incidents, as well as the probability of cyber attacks occurring • To the extent material, risk factor disclosure of potential cyber incidents may be necessary and may include aspects of a company’s operations that give rise to or mitigate these cyber risks • Avoid “boilerplate” risks that generally apply to all public companies

  5. 2011 Staff Guidance (cont’d) • MD&A: address cybersecurity risks or incidents if the costs or other impact of a known cyber risk or incident represents a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, financial condition or liquidity • MD&A disclosure may be required even if a past cyber incident did not have a material effect on the company’s financial condition if the incident caused the company to materially increase its cybersecurity expenditures • Business disclosures: evaluate the impact of cyber incidents or cybersecurity risks on each reportable business segment • Legal proceedings: describe material pending legal proceeding related to a cyber incident • Financial statement disclosures: consider accounting principles that may be important when summarizing the impact of a cyber incident on the company’s financial statements • Disclosure controls and procedures: risk to the company’s ability to record, process, summarize and report information Morrison & Foerster LLP

  6. 2018 Commission Guidance • SEC Commissioners issued guidance on February 21, 2018 that substantially reiterates 2011 SEC Staff guidance on cybersecurity disclosure • The guidance addresses whether and when a company has a duty to disclose information regarding the material effects of a potential or existing cyber attack. A duty to disclose could arise from: • “Line item” requirements in an SEC form; • Rule 12b-20 – failure to disclose would be an omission of information that makes disclosed information materially misleading; or • A “duty to correct” a prior disclosure determined to be untrue or misleading at the time it was made. • After a cyber attack, a company may have a duty to disclose that attack per the above-described requirements or may choose to voluntarily make public disclosure regarding the attack for business reasons

  7. 2018 Commission Guidance (cont’d) •  Whether or when to disclose – SEC Guidance • The SEC expressed its understanding that it may take some time to discern the implications of a cybersecurity incident, including internal investigations and working with regulators. • However, the SEC stated its view that an “ongoing internal and external investigation would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” • The principal sections of a periodic report that may require disclosure of a cybersecurity incident or the risks thereof, if material, include: • Risk Factors; • MD&A; • Business; • Financial Statements; • Legal Proceedings; and • Board Oversight of Risk Management – if cybersecurity risks are material, the company should disclose how the board discharges that oversight authority.

  8. 2018 Commission Guidance (cont’d) • In determining materiality of an incident, a company should consider all relevant factors, including: • the importance of compromised information (if any); • the impact of an incident on a company’s operations; • the nature, extent, and potential magnitude of a risk or incident; and • the potential range of harm – including as it relates to the company’s reputation, financial performance, customer/vendor relationships, and/or the possibility of litigation or regulatory investigations or actions. • Timing of assessment of materiality factors • At initial phases of an investigation, it may be very difficult to assess the materiality of the incident, which involves balancing the potential magnitude of harm with the likelihood of such harm.  If the potential range of harm is high, consideration should be given to including disclosure regarding the incident and its potential impacts, noting that the investigation is at an early stage. • As an investigation develops, the SEC likely would expect some incremental disclosure, although as noted above, the SEC has recognized that certain information may not be available until an investigation has been completed.

  9. 2018 Commission Guidance (cont’d) Other key takeaways • The SEC guidance emphasizes the importance of policies and procedures around cybersecurity issues • Disclosure controls and procedures • Insider trading policies • The SEC has directed the Staff to continue to monitor cybersecurity disclosures very carefully • Possibility of future rulemaking, but not likely in the near term • Commissioner Stein in particular indicated that the guidance did not go far enough and suggested a potential new S-K item related to cybersecurity • Duty to update? Or just a duty to correct? • Application of Rule 12b-20 • Remember Regulation FD in this context

  10. 2018 Commission Guidance – Insider Trading • The Commission made clear that information relating to a cybersecurity incident may be “material” for purposes of insider trading laws. • Because insider trading risks could result from weak controls around cybersecurity risks and incidents, companies are encouraged to have in place policies and procedures to prevent trading on the basis of all types of material nonpublic information, including cybersecurity risks and incidents. • When a cybersecurity incident occurs, or when a company is investigating such an incident, the guidance advises that consideration should be given as to whether restrictions on insider trading (e.g., a trading blackout) should be put in place. • The guidance suggests that “companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”

  11. SEC Enforcement Action – Cyber Disclosure • On April 24, 2018, Altaba (f/k/a Yahoo!) agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches. • Yahoo’s information security team informed Yahoo’s senior management and legal department of the December 2014 breach within days, but Yahoo made no public disclosure for more than two years. • In the two years before public disclosure, Yahoo’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.  Those filings did not disclose that the company had been the subject of breaches or the materiality of such breaches. • Per the SEC Order – (1) in SEC filings during the two-year period following the breach, Yahoo failed to disclose the breach or its potential business impact and legal implications; (2) Yahoo did not share information regarding the breach with its auditors or outside counsel to help assess the company’s disclosure obligations in its public filings; and (3) Yahoo failed to maintain proper disclosure controls and procedures. • SEC Staff – “We do not second-guess good faith exercises of judgment about cyber-incident disclosure.  But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted.  This is clearly such a case.”

  12. SEC Enforcement Action – Insider Trading • On March 14, 2018, the SEC charged a former chief information officer of an Equifax business unit with insider trading in advance of Equifax’s September 2017 data breach announcement. • According to the SEC’s complaint, • The officer allegedly used confidential information entrusted to him to conclude that Equifax had suffered a serious data breach. • Before Equifax’s public disclosure of the breach, the officer allegedly exercised all of his Equifax stock options and sold the shares, realizing proceeds of nearly $1 million. • By selling before public disclosure of the breach, the officer avoided more than $117,000 in losses. • The SEC complaint charges the officer with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties and injunctive relief. • The U.S. Attorney’s office filed parallel criminal charges.

  13. Recommended Actions • Review disclosures and consider whether cybersecurity disclosure needs to be enhanced • Because many calendar year end companies had filed their 10-Ks or were basically done when the guidance was issued, we expect those companies to evaluate the need for incremental disclosure in their 10-Qs and perhaps take a larger pass at revamping disclosures with the next 10-K • If a company has had a significant cybersecurity incident, it should carefully consider the guidance in its evaluation of the required disclosure as the Staff will be focused on such disclosures • Review disclosure controls and procedures to ensure that information on cybersecurity breaches, costs, litigation, etc. reaches the appropriate persons for disclosure consideration • Review insider trading policies to ensure cybersecurity is appropriately addressed

  14. Practice Pointers • Quarterly meetings with risk and information security teams • Annual refresh with benchmarking • Revisit in light of developments • Multiple stakeholders (board, management, disclosure committee, communications)

  15. Thank you!

More Related