The Securities and Exchange Commission (SEC) recently released guidance on required cybersecurity disclosures for public companies. Approved unanimously, the requirements are designed to address investor concerns about the threat to cybersecurity, which can be costly, and in this day and age, an almost inevitable part of doing business.
Many companies may already be disclosing information about cybersecurity risks and incidents under 2011 guidance from the Division of Corporation Finance. Most frequently, companies disclose risk factors. The SEC expects to see more robust descriptions of the steps and processes the company takes to manage its risks. New requirements also add guidance about the interaction between cybersecurity and insider trading prohibitions.
Key Components
Companies will need to consider the materiality of their cybersecurity risks and incidents whenever they make a required SEC filing, including annual and periodic reports. Disclosures should reflect their greatest areas of cybersecurity risk that could be harmful to reputation, financial performance, and customer and vendor relationships. Disclosures should not be so specific as to provide detailed information about the weaknesses of a particular system, network, or device, however.
Materiality of cybersecurity risks and incidents should be considered and disclosed to potential investors in registration statements prior to the sale of securities. Cybersecurity risks should also be considered as part of the required disclosures related to a company’s risk factors, MD&A, description of business, legal proceedings, financial statements, and board risk oversight.
In addition to disclosures, public companies will want to take a second look at their policies and procedures. The SEC expects to see cybersecurity policies routinely monitored and that the disclosure controls and procedures reflect the relevant information about cybersecurity risks and incidents.
Insider Trading
Insider trading is another area to consider. If directors, officers and other corporate insiders are aware of material nonpublic information regarding cybersecurity concerns that could affect a particular security, it would be violating insider trading requirements if they were to act on that information before the issue were to be made public. Codes of ethics and insider trading policies may need to be updated to reflect cybersecurity concerns.
Regulation FD
Companies that are making information known about material cybersecurity concerns prior to announcing it publicly should also take note that they are not in violation of Regulation FD.
What the Change Means for Public Companies
Most companies are likely documenting their cybersecurity efforts already. The new requirements should just be reviewed in light of existing practices to make sure that public companies are prepared for the increased SEC scrutiny of cybersecurity controls, policies, and disclosures that will likely follow.
For more information, please contact Rich Howard of MHM’s Professional Standards Group. Rich can be reached at rhoward@cbiz.com.
Published on February 27, 2018 © Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.