The Securities and Exchange Commission (SEC) recently released guidance on required cybersecurity disclosures for public companies. Approved unanimously, the requirements are designed to address investor concerns about the threat to cybersecurity, which can be costly, and in this day and age, an almost inevitable part of doing business.
Many companies may already be disclosing information about cybersecurity risks and incidents under 2011 guidance from the Division of Corporation Finance. Most frequently, companies disclose risk factors. The SEC expects to see more robust descriptions of the steps and processes the company takes to manage its risks. New requirements also add guidance about the interaction between cybersecurity and insider trading prohibitions.
Companies will need to consider the materiality of their cybersecurity risks and incidents whenever they make a required SEC filing, including annual and periodic reports. Disclosures should reflect their greatest areas of cybersecurity risk that could be harmful to reputation, financial performance, and customer and vendor relationships. Disclosures should not be so specific as to provide detailed information about the weaknesses of a particular system, network, or device, however.
Materiality of cybersecurity risks and incidents should be considered and disclosed to potential investors in registration statements prior to the sale of securities. Cybersecurity risks should also be considered as part of the required disclosures related to a company’s risk factors, MD&A, description of business, legal proceedings, financial statements, and board risk oversight.
In addition to disclosures, public companies will want to take a second look at their policies and procedures. The SEC expects to see cybersecurity policies routinely monitored and that the disclosure controls and procedures reflect the relevant information about cybersecurity risks and incidents.
Insider trading is another area to consider. If directors, officers and other corporate insiders are aware of material nonpublic information regarding cybersecurity concerns that could affect a particular security, it would be violating insider trading requirements if they were to act on that information before the issue were to be made public. Codes of ethics and insider trading policies may need to be updated to reflect cybersecurity concerns.
Companies that are making information known about material cybersecurity concerns prior to announcing it publicly should also take note that they are not in violation of Regulation FD.
What the Change Means for Public Companies
Most companies are likely documenting their cybersecurity efforts already. The new requirements should just be reviewed in light of existing practices to make sure that public companies are prepared for the increased SEC scrutiny of cybersecurity controls, policies, and disclosures that will likely follow.
For more information, please contact Rich Howard of MHM’s Professional Standards Group. Rich can be reached at firstname.lastname@example.org.
Published on February 27, 2018