Cyber SecurityData ProtectionData Security

Cyber Risk and Incidents: to Disclose or Not to Disclose, That is the Question

By March 2, 2018 No Comments

On Feb. 21, 2018, the Securities and Exchange Commission (SEC) released a Statement and Interpretive Guidance, in their words, “to assist public companies in preparing disclosures about cybersecurity risks and incidents.”[1]  The Interpretive Guidance touches on two areas: first, what information must be disclosed related to cyber risks and incidents and second, to make it clear that general insider trading prohibitions apply when cyber incidents have not been (or have selectively been) disclosed.

The scope of disclosure is fairly broad: “the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risk and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”[2]  While the first half of the Commission’s statement has been made clear before, the second half – the requirement to disclose material cybersecurity risks that have not been targeted – has not been stated as directly.

For a determination of disclosure, materiality of the incident or risk is a significant threshold finding.  The SEC makes it clear that the Interpretive Guidance does not alter their definition of materiality: “if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”[3]

For companies subject to this directive, the quandary is clear: how to disclose such a risk without educating prospective attackers.[4]  The Commission appears to recognize the issue, however, provides little guidance on how to navigate the waters:

“We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”[5]

The Commission also instructs that companies develop effective disclosure controls and policies to determine when – and how – such information should be publicly disclosed.  Moreover, the persons responsible for overseeing the controls and policies must be informed about the risks and incidents the company has faced or will face.

Last, the Commission reminds corporate officers, directors, and other insiders that company stock should not be traded when in possession of material non-public information, which may include knowledge about a significant cyber incident experienced by a company.  It should be noted that the Commission again uses the word “material” in reference to disclosures and the prohibition on insider trading.  This evaluation could prove challenging, as most publicly traded companies find themselves probed and attacked by cyber intruders on a regular basis.  As suggested by the Commission, corporate policies and procedures will assist in making the determination of materiality and disclosure timing, which in turn, will assist insiders in knowing when the waters are safe to trade corporate stock.

[1] “SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures,” https://www.sec.gov/news/press-release/2018-22

[2]  “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” p. 4, Release Nos. 33-10459; 34-82746], https://www.sec.gov/rules/interp/2018/33-10459.pdf

[3] Id. at 10.

[4] The Guidance does reference a study concluding that 88% of Fortune 500 companies already disclose cyber risk.  Id. at 6, fn. 12.

[5] Id. at 11.