On February 21, 2018, the US Securities and Exchange Commission (SEC) issued interpretive guidance related to cybersecurity risk and incident disclosures.
See the full document here:
In addition to creating new requirements for public companies in the US, this action points to new, important areas of investigation when performing IT due diligence on these companies.
In 2011, the SEC’s Division of Corporation Finance issued guidance related to public company disclosure obligations regarding cybersecurity risks and incidents. This guidance informed companies that although there were no specific cybersecurity risk and incident disclosure requirements in place, they might be obligated to disclose them under existing regulations. In response, many public companies began to disclose cybersecurity information in required SEC reporting documents.
Given the increasing severity and size of cybersecurity incidents at large companies around the world since 2011, the SEC believed it was important to provide further interpretive guidance, which resulted in the February 2018 release.
Key Points in the 2018 Guidance
Periodic and Current Reporting
Annual reports (10-K) and quarterly reports (10-Q) must provide “timely and ongoing information” regarding “material cybersecurity risks and incidents that trigger disclosure obligations.”
Current reports (8-K and 6-K) should be used to promptly disclose the existence and costs of cybersecurity incidents.
The SEC is not suggesting that companies provide detailed technical information in cybersecurity disclosures, especially when that information could create greater cybersecurity risk.
Companies should review and correct prior reporting that did not adequately disclose cybersecurity risks and incidents.
Securities registration statements should be reviewed for proper disclosure of cybersecurity risks.
The SEC specifically indicates that cybersecurity risks associated with acquisitions must be considered.
The following factors should be considered when determining whether disclosure is appropriate:
- The existence of prior cybersecurity incidents
- The probability and potential magnitude of future incidents
- The adequacy and costs (including insurance coverage) of the company’s efforts to reduce cybersecurity risks
- Risks related to company’s industry
- Risks and past incidents involving the company’s suppliers and service providers
- The potential for damage to the company’s reputation
- Regulations that affect the company’s efforts and requirements
- Litigation and other remediation costs associated with past cybersecurity incidents
To the extent there is cybersecurity risk associated with a company’s operations, the company board’s role in overseeing that risk and the existence of any cybersecurity risk management program should be disclosed.
Importance of Cybersecurity Policies and Procedures
There are already numerous requirements in place for public companies to disclose and for senior officers to certify the completeness and accuracy of risk disclosures. These include the development, maintenance and periodic evaluation of the effectiveness of relevant policies and procedures. The SEC clarified in this release that such requirements cover cybersecurity risks and incidents.
Insider Trading Prohibitions
The SEC clarified that information related to cybersecurity risks and incidents may be considered “nonmaterial public information” and therefore fall under existing laws prohibiting insider trading on such information.
The Impact on IT Due Diligence
The SEC release has a number of impacts on IT due diligence.
When Performing IT Due Diligence on a Public Company
- Evaluate the existence and effectiveness of cybersecurity risk reporting policies and procedures
- Determine if previous cybersecurity incidents have been properly reported and mitigated
- Evaluate whether suppliers and service providers have been properly evaluated for cybersecurity risks (the massive 2013 Target data breach occurred via an HVAC service provider)
- Assess the company’s practices regarding cybersecurity IT due diligence of past and ongoing acquisitions
- Review the adequacy of cybersecurity liability insurance
When Performing IT Due Diligence on a Potential Acquisition of a Public Company
- Thoroughly investigate the history of prior cybersecurity incidents. Will the existence of a significant prior breach impact the acquirer’s ability or cost to obtain cybersecurity insurance? Will a disclosure of prior cybersecurity incidents and expenses be required of the acquirer?
- Is the company currently addressing or mitigating the costs of a cybersecurity incident?
- If the acquirer is using the acquisition to move into a new industry, are there industry-specific cybersecurity risks to identify and disclose?
- Review the cybersecurity history of the company’s suppliers and service providers as they may soon become vendors of the public company
Companies with Public Market Intentions Evaluating their Readiness
- Ensure that cybersecurity risk and disclosure policies and procedures are developed
- Evaluate current supplier and vendor cybersecurity risks
- Fully document past cybersecurity incidents, including the steps taken to mitigate and the related costs
- Obtain or review the adequacy of cybersecurity insurance
As information technology plays a more and more important role in every company, laws and regulations must be updated to keep up. The 2018 SEC guidance is a good example. Public companies should review their current practices related to cybersecurity risk and disclosure to ensure they remain in compliance.