As the SEC has made clear on numerous occasions over the past year, cybersecurity will continue to be a major enforcement priority under the Commission’s new leadership. As we have previously covered, one new area of potential enforcement activity that the SEC has warned about concerns the failure of public companies to make disclosures regarding material cyber events. While the SEC had previously provided some guidance to publicly traded companies about when to disclose such events, that 2011 guidance still left many questions unanswered.
Just last week, the Commission attempted to provide some additional clarity regarding when disclosure of both cyber threats and events is required, addressed controls that issuers should put in place to address the need to disclose a cyber event, and also warned publicly traded companies and their executives against trading on inside information regarding a cyber-incident.
The SEC’s guidance regarding when disclosure is required focuses on the materiality of a particular cyber risk or breach. This should not be surprising as materiality is the standard that almost always guides an issuer’s disclosure obligations. The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or a reasonable investor would have viewed the omitted information as having “significantly altered the total mix of information available.” The SEC emphasized in the guidance that this standard applies not just to actual cyber events or breaches, but also to the material risk of a cyber-event. The Commission also stressed that the need to make a disclosure must be analyzed on a case-by-case basis, depending on the nature, extent and potential magnitude of the risk or breach. In assessing whether disclosure is required, a company should consider the range of harm that an incident could cause, including to a company’s reputation, financial performance, and customer or vendor relationships, along with the possibility of litigation or regulatory actions. The obligation to disclose is not limited to periodic reports such as 10-Ks or 10-Qs; it can also include current reports in an 8-K or 6-K.
While the SEC made very clear that disclosure of material cyber events is mandatory, it also highlighted that a company should not make detailed disclosures that might compromise its cybersecurity efforts or provide a “roadmap” for those seeking to penetrate a company’s security systems.
One of the more interesting aspects of the new guidance is the SEC’s focus on insider trading related to cyber events or threats. In this regard, the SEC made clear that material, non-public information regarding cyber events should be treated no differently than any other material, non-public information. Officers, directors and other executives cannot trade on such information, and companies should have policies and procedures in place to guard against them doing so and also to help ensure the company makes timely disclosure of such information. Issuers should carefully review their code of ethics and insider trading policies to ensure they specifically address cybersecurity risks and incidents. Companies should also consider implementing restrictions on insider trading of securities during a cybersecurity investigation.
So, what does this all mean? The SEC has already indicated that it will bring an enforcement action in the right case against a publicly traded company for failure to make cyber-related disclosures, and this guidance only emphasizes the seriousness with which the Commission views the cyber threat and its effect on securities markets. In announcing the new guidance, Chairman Jay Clayton noted that he has asked the Division of Corporate Finance to “continue to carefully monitor cybersecurity disclosures as part of their selective filing review.” Given all of the warnings, it is likely we will see such a case sooner rather than later. The guidance does not provide a clear roadmap about when companies must disclose a cyber-threat or incident, but it does provide an important reminder that issuers must review their policies and procedures regarding cyber incidents to ensure relevant information about cyber-risks and incidents is reported to the appropriate personnel so that disclosure can be considered.
Additionally, it is also highly likely that the SEC will conduct parallel insider trading investigations as a matter of course when an issuer experiences a material cyber event. Issuers should thus closely review their insider trading policies and make sure executives and employees involved in a cyber-incident investigation understand that they may possess material, non-public information. More developments in this area are likely over the remainder of 2018. We will follow them closely and continue to cover them here.