SEC cybersecurity guidance: Takeaways for boards

Amid increasing cyber threats and recent massive breaches, the SEC issued interpretive guidance on cybersecurity disclosures that applies to public companies registered with the Commission

In light of recent interpretive guidance issued by the Securities and Exchange Commission, boards should review how they discharge their oversight of cyber risk.

Amid increasing cyber threats and recent massive breaches, the SEC issued interpretive guidance on cybersecurity disclosures that applies to public companies registered with the Commission.

The 24-page document published in February reinforces and expands on guidance issued in 2011 by the Division of Corporation Finance. It also addresses two topics not addressed in the prior guidance: the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.

The guidance emphasizes the importance of informing investors in a timely fashion about material cybersecurity risks and incidents. To that end, the guidance notes that disclosure controls and procedures are crucial to a public company’s ability to make any required disclosures in the appropriate timeframe.

Federal securities laws require public companies to include in their proxy statements a description of how the board administers its risk oversight function. To the extent cybersecurity risks are material to a company’s business, that description should include the nature of the board’s role in overseeing the management of that risk. “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area,” the guidance states.

According to the SEC, the development of effective disclosure controls and procedures “is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

While most public companies have insider trading policies, the guidance encourages companies to consider whether those policies adequately address cybersecurity incidents that have not yet been publicly disclosed. Shortly after issuance of the guidance, the Department of Justice and the SEC announced insider trading charges against a former chief information officer alleged to have exercised options and sold shares after learning of a major cybersecurity breach and before the breach was publicly announced.

In addition to reviewing the sufficiency of disclosure controls and procedures related to cyber risks and incidents, companies may want to take a fresh look at their disclosures with respect to cyber in the following areas:

  • Risk factors
  • Management’s discussion and analysis
  • Description of business
  • Legal Proceedings
  • Financial statement disclosures
  • Board risk oversight

The guidance notes that companies also may have disclosure obligations under Regulation Fair Disclosure (which prohibits selective disclosure of material, nonpublic information) in connection with cybersecurity matters.

SEC chairman Jay Clayton said the staff will continue to monitor cybersecurity disclosures as part of their selective filing reviews and the Commission will continue to evaluate developments in this area and consider feedback about whether further guidance or rules are needed.