SEC Guidance on Cybersecurity: Data Breaches Are Likely Material featured image

SEC Guidance on Cybersecurity: Data Breaches Are Likely Material

by John DiGiacomo

Partner

cybersecurity

The Securities and Exchange Commission (“SEC”) just issued, on February 21, 2018, a new Guidance with respect to cybersecurity disclosures for publicly-held corporations. The quick takeaway is that data breaches and data breach risks are likely to be “material” for purposes of disclosure, data security should be deemed a “board level” concern, and knowledge of cybersecurity risks and events are legally relevant to issues with respect to insider trading.

Disclose Data Breaches and Cybersecurity Risks

The SEC issued a cybersecurity Guidance in 2011. This new 2018 Guidance is an update. Of note, the new Guidance was issued at the full Commission level; the 2011 Guidance was a staff-level Guidance. While any Guidance must be taken seriously, the fact that the full five-member SEC Commission reviewed and voted to approve the Guidance suggests a new level of importance to the SEC’s cybersecurity Guidance. The first sentence in the Guidance is: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.”

Under both the 2011 Guidance and the 2018 Guidance, cybersecurity risks and incidents may need to be disclosed in various annual and quarterly reports required pursuant to various federal Securities Acts. Indeed, the SEC highlighted specific sections of the reports where cyberattacks, breaches and cybersecurity risks might be required, including sections on:

  • Risk factors
  • MD&A
  • Description of business
  • Legal proceedings
  • Financial statement disclosures

The new Guidance is quite specific in places. Thus, with respect to risk factors, the new Guidance references “Item 503(c) of Regulation S-K and Item 3.D of Form 20-F.” Both of these require disclosure of significant factors that make an investment in the company’s securities risky or speculative. Essentially, the 2018 Guidance puts cybersecurity and data breach/hacking events on the level of other information that must be disclosed if the information impacts evaluation of an investor’s risk. Data breaches and cybersecurity issues might have these impacts on investment risk:

  • Cessation or interference with the company operations
  • Direct impacts on company liquidity or financial condition
  • Loss of trade secrets and/or other valuable intellectual property
  • Cost of ongoing cybersecurity efforts — including maintaining state-of-the-art preventative measures
  • Insurance costs
  • Costs with respect to responding to litigation and regulatory investigations
  • Harm to reputation — relevant to profit/loss and to stock price
  • Loss of competitive advantage

The 2018 Guidance does not create or require any compulsory disclosure. Rather, the Guidance highlights that data breaches, hacks and other cybersecurity events and general cybersecurity risks might be “material” for disclosure purposes. As the SEC Guidance states:

” … it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The 2018 Guidance provides factors that should be considered when considering the issue of “materiality:”

While emphasizing the need for disclosure, the new Guidance also recognize the necessary balance between disclosing information about events and risks without compromising a company’s efforts to prevent and combat cyberattacks.

The new Guidance also highlights the importance of “timely” disclosures, which is also a component of the insider trader portion of the Guidance. With respect to disclosure, the 2018 Guidance makes it clear that the TIMING of disclosure might be as important, for “materiality”, as the disclosure itself. Again, the SEC recognizes the necessary balance between “timely” and “immediate.” Various factors such as cooperation with law enforcement make prevent “immediate” disclosure. Thus, while a “timely” disclosure is needed, what is “timely” will depend on the circumstances.

Board’s Role in Risk Oversight

Another important aspect of the 2018 Guidance is the emphasis on the obligation of the Board of Directors to discuss, review, and approve cybersecurity issues and measures. The SEC highlights the fact that a member of the board has a general obligation to evaluate various risks when making decisions and policies for the company. In other words, “risk oversight” is part of a director’s “business judgment” that a director must exercise. The new Guidance elevates cybersecurity and data breach risks to the “board level.” The new Guidance also discusses the need to create proper reporting channels to move cybersecurity risks and events up the chain of command to upper management and to the board.

In addition, members of the board are directed by the new Guidance to avoid insider trading.

Insider Trading

Insider trading is a new topic for the 2018 Guidance. As noted above, because there is often a necessary time lag between a cybersecurity event and public disclosure, legal issues with respect to insider trading are implicated. Moreover, there is also a time lag between a cybersecurity event and when an evaluation is made with respect to severity, what data was compromised, and potential cost/profit impacts of the breach or hack.

The 2018 Guideline states that, during those time lags, those within the company with knowledge of a data breach or other attack or the impact of such an event should not buy or sell stock in the company. The Guidance states:

“… directors, officers,and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”

Note that the Guidance can be used as evidence in shareholder derivative actions and securities fraud cases. The Guidance recommends that, if not already otherwise in place, the following steps should be implemented:

  • Establish/create general policies and procedures to prohibit and otherwise guard against officers, directors, and other company employees from taking advantage of the aforementioned “time lags” with respect to buying and selling the company’s securities
  • Establish policies and procedures for timely disclosure of data breach/hack information
  • Establish policies specifically to prohibit and prevent insider trading in the days before public disclosure
  • Establish policies that prevent the appearance of improper trading — the appearance often being just as damaging to a company’s reputation as the actuality of insider trading

Contact Revision Legal Today

For more information, contact the skilled and experienced data breach attorneys at Revision Legal. We have the dedication to help if you need advice on security, if your business has suffered a data breach, or if you need assistance in enhancing your cybersecurity. Internet law is our main practice focus and we have the skill set to help your business with data breach mitigation and response. Contact us via email or call us at 855-473-8474.

 

You Might Also Like:

Cybersecurity Best Practices

Cyber Attacks Explained

Tips To Avoid Data Breach Litigation

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side