The Securities and Exchange Commission's Chair Jay Clayton issued a statement on February 21 about public companies' cybersecurity disclosures:
"In today's environment, cybersecurity is critical to the operations of companies and our markets...I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives..."
The above excerpt encapsulates the Commission's Guidance on Public Company Cybersecurity Disclosures,1 published concurrently with Clayton's statement and expressing the SEC's view that public companies should adopt comprehensive cybersecurity policies and procedures.
Disclosure of Material Information
Cybersecurity-related disclosure is currently a priority in SEC reviews of companies' periodic reports. Each of the following sections of a company's SEC reports may require cybersecurity-related disclosure: Risk Factors, MD&A, Description of Business, Legal Proceedings, Board Risk Oversight and Financial Statements.
Companies' disclosure controls and procedures (DC&P) should be robust enough to ensure accurate and timely disclosure of material cybersecurity-related events and information. Important in this context is open communication between technical experts and the people responsible for disclosure decisions. The officers responsible for certifying the company's DC&P should take into account the degree to which the effectiveness of those DC&P may be impacted by cybersecurity risks.
Detailed technical information about a company's cybersecurity systems and vulnerabilities does not have to be disclosed. Rather, companies should disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial and other consequences such as remediation costs, lost revenues, litigation expenses, regulatory fines, insurance premiums, reputational damage and damage to competitiveness, stock price and long-term shareholder value. In assessing the materiality of a potential cybersecurity incident, companies should consider the probability of the event occurring and its anticipated magnitude—the same analysis as is done for other potentially material corporate events.
Specifically regarding financial statement disclosure, the SEC guidance indicates that companies' financial reporting and control systems should be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident will be incorporated into the financial statements on a timely basis.
In the face of a cybersecurity incident, some material facts may not be available at the time of initial disclosure; a company may need time to assess the full implications of the incident; the company may be in the midst of cooperating with law enforcement officials; and an ongoing investigation may affect the scope of public disclosure that is ultimately provided. But despite all that, the SEC stated explicitly that the existence of an ongoing internal or external investigation of a cybersecurity incident is not by itself a basis for avoiding disclosure of a material cybersecurity incident.
Insider Trading and Selective Disclosure
The insider trading prohibitions and the Regulation FD rules on selective disclosure apply to material nonpublic information about cybersecurity risks and incidents. Accordingly, the SEC guidance indicates that:
- companies' codes of conduct and insider trading policies should be designed to prevent improper trading and tipping in this context; and
- a company in the midst of investigating and assessing the materiality of a cybersecurity incident should consider imposing a trading blackout period, which would help avoid the appearance of improper trading during the period following a cybersecurity incident and before public disclosure.
The SEC guidance is consistent with cybersecurity disclosure guidance published by Canadian securities regulators and the International Organization of Securities Commissions.2 Like the SEC, Canada's securities regulators have made cybersecurity a priority when reviewing public companies' disclosure documents. On both sides of the border, companies are expected to provide tailored, entity-specific, non-boilerplate information about cybersecurity preparedness, risks and incidents.
2 For a discussion of the IOSCO guidance and Canadian securities regulators' guidance, please see Torys' publications "Securities Regulators Publish Guidance on Cybersecurity," "Regulators Weigh in on Cybersecurity" and "All Hands on Deck: Mitigating Cyber Attacks."
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2019 by Torys LLP.
All rights reserved.