The Securities and Exchange Commission (SEC) recently published new interpretative guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

While the new guidance does not change any of the SEC’s rules, and is generally consistent with the 2011 staff guidance, it addresses two additional topics:

1. Disclosure Controls and Procedures: Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel to enable senior management to make disclosure decisions and certifications.
2. Insider Trading: Policies and procedures should be in place to prevent trading on the basis of material non-public information. Companies should consider restrictions on trading while significant cyber incidents are investigated.

The new guidance declares “Cybersecurity risks pose grave threats to investors, our capital markets, and our country” and goes on to outline the SEC’s desire “for public companies to provide disclosures about cybersecurity incidents they encounter and the cybersecurity risks that they face.”

It also discusses the importance of cybersecurity policies and procedures, along with the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.

Given the frequency, magnitude and cost of cybersecurity incidents, the SEC believes public companies should inform investors about material cybersecurity risks and incidents in a timely fashion, including companies that are subject to cybersecurity risks but haven’t yet been the target of a cyber-attack.

It is telling that the document was published just weeks before the former Equifax CIO was charged by the Department of Justice for insider trading related to, at the time of his trades, his knowledge of Equifax’s impending breach announcement.

The interpretive guidance identifies sections of filings where the disclosure of cybersecurity matters may be appropriate and provides examples of the types of disclosures that should be considered, including the following:

• Risk factors: previous or ongoing incidents, probability of occurrence and potential magnitude, adequacy of preventative actions and costs to maintain protections
• Description of business: how cybersecurity incidents or risks may materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions
• MD&A: the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents and the risks of potential cybersecurity incidents
• Legal proceedings: theft of customer information that results in material litigation
• Financial statement disclosures: the range and magnitude of the financial statement implications of a cybersecurity incident
• Board risk oversight: if cybersecurity risks are material to a company’s business, the nature of the board’s role in overseeing the management of that risk

Additional cybersecurity disclosures should be considered in periodic reports (e.g., Form 10-K, Form 10-Q, Form 20-F) and registration statements (e.g., Form S-1, Form S-3). The SEC encourages companies to use Form 8-K or Form 6-K to disclose the occurrence and consequences of material information pertaining to cybersecurity incidents.

For public companies, compliance with the interpretive guidance will ensure companies time to inform investors about the material cybersecurity risks and incidents that the company has faced or is likely to face.

Most companies should expect to have increased disclosures in their SEC filings with respect to board risk oversight and cyber breaches, threats and potential risks. Officers and directors should be especially mindful of the SEC’s new focus on cybersecurity as an integral component of a company’s broader enterprise-wide risk management structure.

Cyber security programs must be designed to ensure that principal executive officers and principal financial officers are properly informed to make related disclosure decisions and have obtained required certifications under Sarbanes-Oxley.

In addition, a corporation’s attention to cybersecurity should extend well beyond regulatory compliance. This follows a trend in the information security profession of disdain for compliance-only programs where security programs are focused only on managing compliance with a set of regulatory authorities such as HIPAA, PCI, etc. that leaves risks outside the umbrella of the authorities’ focus unaddressed. These risks may be more material to an organization.

As a public company, regulations often represent the leading edge of expected management best practices. We believe that private companies, non-profits and other entities will see these matters become expectations as they relate to disclosures and transparency of cybersecurity risk and incidents.

We also believe that those firms providing products and services to public companies will see a further increase in third party risk management activities, requiring non-public companies to elevate to the standards already required by the larger public companies in order to do business with them.

What’s next?

Companies should assess their current cybersecurity risk management policies and procedures, and assess if they have sufficient disclosure controls and procedures in place to ensure relevant information about cybersecurity risks and incidents is processed and reported in their SEC filings.

The SEC’s new guidance declares cybersecurity is not an IT issue but a board issue; it is not a technical support function but a risk management function.

GBQ IT Services helps those firms who embrace risk management as the means to manage their cyber risks. Contact GBQ at (614) 221-1120 or ddavison@gbq.com for more information.