When you were a kid, did you ever wait patiently for Christmas, with a specific item on your wishlist? Then, the fateful day arrives and you realize the toy is lame and not quite what you expected it to be?
That was the flashback feeling this week as the Securities and Exchange Commission released long-awaited rules for cyber-security disclosures.
We need to back up a bit though. There were not actual rules. Despite promises from the Trump Administration and Department of Justice that guidance would no longer be a substitution for rulemaking, there was merely a statement and interpretive guidance. Also, despite setting an open meeting to publically discuss options, that meeting was cancelled and Commissioners weighed in, secretly, the day before.
What the Commission did offer was esentially a reboot of previous disclosure requirements.
Chairman Jay Clayton says the guidance “will promote clearer and more robust disclosure by companies about cyber-security risks and incidents, resulting in more complete information being available to investors.”
“In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives,” he added.
The guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cyber-security risk and incidents. It also addresses the importance of cyber-security policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cyber-security context.
In 2011, the Division of Corporation Finance issued guidance that provided the Division’s views regarding disclosure obligations that relate to cyber-security risks and incidents. This week, the Commission voted to provide guidance to public companies that reinforces and expands the Division’s prior guidance. The guidance highlights the disclosure requirements under the federal securities laws that public operating companies must pay particular attention to when considering their disclosure obligations with respect to cyber-security risks and incidents, a statement says.
The guidance reminds companies that they are required to file periodic reports to disclose specified information on a regular and ongoing basis. These periodic reports include annual reports on Form 10-K, which require companies to make disclosure regarding their business and operations, risk factors, legal proceedings, management’s discussion and analysis of financial condition and results of operations, financial statements, disclosure controls and procedures, and corporate governance.
Periodic reports also include quarterly reports on Form 10-Q, which require companies to make disclosure regarding their financial statements, MD&A, and updated risk factors. Likewise, foreign private issuers are required to make many of these same disclosures in their periodic reports on Form 20-F. Companies must provide timely and ongoing information in these periodic reports regarding material cyber-security risks and incidents that trigger disclosure obligations.
Securities Act and Exchange Act registration statements must disclose all material facts required to be stated therein or necessary to make the statements therein not misleading.
In order to maintain the accuracy and completeness of effective shelf registration statements with respect to the costs and other consequences of material cyber-security incidents, companies can provide current reports on Form 8-K or Form 6-K.
The Commission encouraged companies to continue to use Form 8- K or Form 6-K to disclose material information promptly, including disclosure.
The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
The guidance says it would be helpful for companies to consider the following issues, among others, in evaluating cyber-security risk factor disclosure:
• The occurrence of prior cyber-security incidents, including their severity and frequency;
• The probability of the occurrence and potential magnitude of cyber-security incidents;
• The adequacy of preventative actions taken to reduce cyber-security risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cyber-security risks;
• The aspects of the company’s business and operations that give rise to material cyber-security risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
• The costs associated with maintaining cyber-security protections, including, if applicable, insurance coverage relating to cyber-security incidents or payments to service providers;
• The potential for reputational harm;
• Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybers-ecurity and the associated costs to companies; and
• Litigation, regulatory investigation, and remediation costs associated withcyber-security incidents.
“In addition, we believe disclosures regarding a company’s cyber-security risk management program and how the board of directors engages with management on cyber-security issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” the SEC said. “We encourage companies to adopt comprehensive policies and procedures related to cyber-security and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cyber-security disclosure.”
Commissioner Robert Jackson said reluctantly supported the guidance “in the hope that it is just the first step toward defeating those who would use technology to threaten our economy.”
“The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.,” he said.
The lack of a representative data set for cyber-security incidents poses a number of challenges to firms and policymakers, Jackson said.
“For policymakers, it makes it next to impossible to accurately measure the cost of cyber-security incidents for the U.S. economy and to determine whether more active government involvement is needed to limit cyber-security risk. Likewise, for firms, the lack of data makes it difficult to correctly assess the expected costs of cyber-security exposure and to determine the optimal level of investment in cyber-security.” He added.
“When the Chairman put cyber-security on the Commission’s agenda, I was very supportive. Unfortunately, I am disappointed with the Commission’s limited action, said commissioner Kara Stein, in a statement.
“The question,” she asked, “is what we, as the Commission, should be doing to add value given seven additional years of insight and experience? Should we be, in effect, re-issuing staff guidance solely to lend it a Commission imprimatur? Will companies, their general counsels, and their boards suddenly take notice of their cyber-related disclosure obligations because of the Commission’s new endorsement? Or will law firms simply produce a host of client alerts reaffirming their alerts from years past?”
“The more significant question is whether this rebranded guidance will actually help companies provide investors with comprehensive, particularized, and meaningful disclosure about cyber-security risks and incidents, she said.
Stein highlighted, in her words, just examples of what could have achieved in the context of disclosure:
“We could have examined what the staff has learned since the release of its 2011 guidance and provided new guidance that capitalized on these findings. After all, the staff of the Division of Corporation Finance reviews hundreds of public company filings every year. The staff also reviews hundreds of shareholder proposals each year, many of which have been increasingly calling on companies to provide more effective cyber-related disclosure.
We could have discussed the various advances in technology used in cyber-attacks since 2011, and how such advances could affect a company’s disclosure regarding company-specific risks.
We could have, for example, considered some of the recent Investor Advisory Committee Subcommittee’s preliminary suggestions, and discussed the value to investors of disclosure relating to: a company’s protocols relating to, or efforts to minimize, cyber-security risks and its capacity, and any measures taken, to respond to cyber-security incidents; whether a particular cyber-security incident is likely to occur or recur; or how a company is prioritizing cyber-security risks, incidents, and defense.”
“In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest changes to the 2011 staff guidance,” Stein said. “Some would say that the Commission is confined in what it can do in the context of guidance, without engaging in a formal rulemaking. I agree. I believe it is important for the Commission to be mindful of the guidance it or its staff produces that may be tantamount to rulemaking. That is why, as I have remarked before, it is imperative that the Commission do more. As we have heard from a variety of commenters since the 2011 staff guidance, guidance, alone, is plainly not enough.”
Rather than mere guidance, she argued that the commission should have initiated a notive and comment period.