It is well known that secrets don’t make friends, and if you’re a public operating company, this is especially true for disclosures related to material cybersecurity issues. Last week, the Securities and Exchange Commission issued a guidance that serves as a reminder for public companies of their cybersecurity disclosure requirements under federal securities laws. The publication reinforces and expands on a similar guidance issued in 2011 by the Division of Corporation Finance, but also focuses on two topics that were not previously addressed: the importance of cybersecurity policies and procedures, and applicable insider trading prohibitions in the cybersecurity context.
The 24-page publication provides direction in essentially three areas. It provides an overview of the rules requiring disclosure of cybersecurity issues, it discusses the need for adequate controls and procedures that would enable a company to make timely disclosures, and it briefly reminds companies of their duty to comply with laws related to insider trading in connection with information about cybersecurity issues.
With a goal of “assist[ing] public companies in preparing disclosures about cybersecurity risks and incidents,” the guidance not only attempts to describe what cyber-related information is required to be disclosed, but also identifies the information that companies are not required to disclose, namely “specific, technical information about their security systems, the related networks and devices, or potential system vulnerabilities in such details as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” While this seems to provide some useful guidance, companies may struggle to understand what this means since the publication also indicates that, “nevertheless, we [the SEC] expect companies to disclose cybersecurity risks and incidents that are material to investors …,” and that such disclosures should “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” How companies will provide specific information that is useful to investors but not specific enough to allow nefarious individuals to penetrate their systems is still left up to the companies to determine and requires expertise and understanding of the convergence of the information security issues and the law.
Although the SEC unanimously approved the guidance, it was with reservation. For example, on February 21, SEC Commissioner Kara M. Stein issued a statement on the guidance in which she explained that the SEC could have done more to help companies formulate more meaningful disclosures for investors, especially since the SEC had seven years of experience and insight to learn from since the 2011 guidance had been released. Rather than issuing a guidance that Stein believes “provide[d] only modest changes to the 2011 staff guidance,” she proposed that the SEC could have, among other things, examined what the staff had learned since the release of the 2011 guidance and capitalized on those findings, or discussed various disclosures that investors find useful, such as information relating to whether a particular cybersecurity incident is likely to occur, or how a company internally prioritizes cybersecurity risks and incidents. Even though Stein believes the SEC could have done more, she noted that, “it is hard to disagree with the [SEC] emphasizing the importance of the disclosure of cybersecurity risks and incidents.”