Through its actions and publications, the Security and Exchange Commission (SEC) has shown an increased focus on cybersecurity and the public disclosure of cybersecurity risks and incidents. In early 2018, the SEC issued a statement and an interpretative guide to assist companies with understanding and carrying out the agency’s disclosure obligations concerning cybersecurity risks and incidents. In the accompanying statement, the SEC explained “the scope and severity of risks that cyber threats present have increased dramatically, and constant vigilance is required to protect against intrusions.”
This SEC guidance follows a guide released by the SEC Division of Corporation Finance in 2011. The interpretative guide outlines the SEC’s view on cybersecurity disclosures as required under federal law. It also touches on the importance of public companies maintaining cybersecurity policies and procedures and discusses prohibited insider trader activities related to cybersecurity breaches.
The interpretive guide essentially puts public companies on notice regarding disclosure requirements for material cybersecurity risks and incidents. It explains that some reports required under the Securities Act and Exchange Act may prompt disclosure of cybersecurity risks facing a company as they relate to financial, legal, or reputational consequences. Importantly, the guide cautions that disclosures should be “timely” and warns that ongoing investigations, by themselves, do not provide a basis for avoiding the disclosure of a material cybersecurity incident.
Signaling an emphasis on enforcement actions, SEC chairman Jay Clayton warned “issuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.”
True to its words, after releasing the interpretative guide, the SEC brought multiple enforcement actions over cybersecurity disclosures. See SEC Enforcement Actions. Many of these actions have resulted in settlements with fines ranging in the millions, coupled with agreements by companies to improve their cybersecurity policies and procedures. The SEC appears to be focused on companies that, in the agency’s view, have made misleading statements or omissions pertaining to a cybersecurity breach and failed to properly assess whether the breach should have been incorporated into its public disclosures.
Moreover, in its strategic plan for 2018-2022, the SEC highlighted an expanded focus on cybersecurity and data protection to address the agency’s belief that “cybersecurity threats to the complex system that helps the markets function are constant and growing in scale and sophistication.” As one of the goals outlined, the SEC stated its intention to examine strategies to address cybersecurity risks facing capital markets.
These collective efforts likely foreshadow greater SEC involvement in cybersecurity and disclosure requirements. Going forward, companies must be sure that they have a cybersecurity policy and plan in place and must quickly evaluate if a cybersecurity incident requires public disclosure.