The Securities and Exchange Commission (“SEC”) just issued, on February 21, 2018, a new Guidance with respect to cybersecurity disclosures for publicly-held corporations. The quick takeaway is that data breaches and data breach risks are likely to be “material” for purposes of disclosure, data security should be deemed a “board level” concern, and knowledge of cybersecurity risks and events are legally relevant to issues with respect to insider trading.
Disclose Data Breaches and Cybersecurity Risks
The SEC issued a cybersecurity Guidance in 2011. This new 2018 Guidance is an update. Of note, the new Guidance was issued at the full Commission level; the 2011 Guidance was a staff-level Guidance. While any Guidance must be taken seriously, the fact that the full five-member SEC Commission reviewed and voted to approve the Guidance suggests a new level of importance to the SEC’s cybersecurity Guidance. The first sentence in the Guidance is: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.”
Under both the 2011 Guidance and the 2018 Guidance, cybersecurity risks and incidents may need to be disclosed in various annual and quarterly reports required pursuant to various federal Securities Acts. Indeed, the SEC highlighted specific sections of the reports where cyberattacks, breaches and cybersecurity risks might be required, including sections on:
- Risk factors
- MD&A
- Description of business
- Legal proceedings
- Financial statement disclosures
The new Guidance is quite specific in places. Thus, with respect to risk factors, the new Guidance references “Item 503(c) of Regulation S-K and Item 3.D of Form 20-F.” Both of these require disclosure of significant factors that make an investment in the company’s securities risky or speculative. Essentially, the 2018 Guidance puts cybersecurity and data breach/hacking events on the level of other information that must be disclosed if the information impacts evaluation of an investor’s risk. Data breaches and cybersecurity issues might have these impacts on investment risk:
- Cessation or interference with the company operations
- Direct impacts on company liquidity or financial condition
- Loss of trade secrets and/or other valuable intellectual property
- Cost of ongoing cybersecurity efforts — including maintaining state-of-the-art preventative measures
- Insurance costs
- Costs with respect to responding to litigation and regulatory investigations
- Harm to reputation — relevant to profit/loss and to stock price
- Loss of competitive advantage
The 2018 Guidance does not create or require any compulsory disclosure. Rather, the Guidance highlights that data breaches, hacks and other cybersecurity events and general cybersecurity risks might be “material” for disclosure purposes. As the SEC Guidance states:
” … it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
The 2018 Guidance provides factors that should be considered when considering the issue of “materiality:”
- Existence of hacking or cyberattack event
- Probability of future event
- Magnitude of past event(s) and/or risk of future event
- Mitigation efforts, but without compromising prevention efforts
- If event occurred, whether information/data was compromised
- The importance of any compromised data
- Impact on the company’s operations, reputation, financial performance and third party relationships
- Possibility of litigation or regulatory action
- Disclosure and/or notice laws to with company is subject
While emphasizing the need for disclosure, the new Guidance also recognize the necessary balance between disclosing information about events and risks without compromising a company’s efforts to prevent and combat cyberattacks.
The new Guidance also highlights the importance of “timely” disclosures, which is also a component of the insider trader portion of the Guidance. With respect to disclosure, the 2018 Guidance makes it clear that the TIMING of disclosure might be as important, for “materiality”, as the disclosure itself. Again, the SEC recognizes the necessary balance between “timely” and “immediate.” Various factors such as cooperation with law enforcement make prevent “immediate” disclosure. Thus, while a “timely” disclosure is needed, what is “timely” will depend on the circumstances.
Board’s Role in Risk Oversight
Another important aspect of the 2018 Guidance is the emphasis on the obligation of the Board of Directors to discuss, review, and approve cybersecurity issues and measures. The SEC highlights the fact that a member of the board has a general obligation to evaluate various risks when making decisions and policies for the company. In other words, “risk oversight” is part of a director’s “business judgment” that a director must exercise. The new Guidance elevates cybersecurity and data breach risks to the “board level.” The new Guidance also discusses the need to create proper reporting channels to move cybersecurity risks and events up the chain of command to upper management and to the board.
In addition, members of the board are directed by the new Guidance to avoid insider trading.
Insider Trading
Insider trading is a new topic for the 2018 Guidance. As noted above, because there is often a necessary time lag between a cybersecurity event and public disclosure, legal issues with respect to insider trading are implicated. Moreover, there is also a time lag between a cybersecurity event and when an evaluation is made with respect to severity, what data was compromised, and potential cost/profit impacts of the breach or hack.
The 2018 Guideline states that, during those time lags, those within the company with knowledge of a data breach or other attack or the impact of such an event should not buy or sell stock in the company. The Guidance states:
“… directors, officers,and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”
Note that the Guidance can be used as evidence in shareholder derivative actions and securities fraud cases. The Guidance recommends that, if not already otherwise in place, the following steps should be implemented:
- Establish/create general policies and procedures to prohibit and otherwise guard against officers, directors, and other company employees from taking advantage of the aforementioned “time lags” with respect to buying and selling the company’s securities
- Establish policies and procedures for timely disclosure of data breach/hack information
- Establish policies specifically to prohibit and prevent insider trading in the days before public disclosure
- Establish policies that prevent the appearance of improper trading — the appearance often being just as damaging to a company’s reputation as the actuality of insider trading
Contact Revision Legal Today
For more information, contact the skilled and experienced data breach attorneys at Revision Legal. We have the dedication to help if you need advice on security, if your business has suffered a data breach, or if you need assistance in enhancing your cybersecurity. Internet law is our main practice focus and we have the skill set to help your business with data breach mitigation and response. Contact us via email or call us at 855-473-8474.
You Might Also Like: