Cyber Security

SEC Issues Disclosure Guidance as Part of Continued Focus on Cybersecurity

As cybersecurity attacks have continued to gain prominence as a threat posing critical risk management and compliance challenges for financial institutions, the Securities and Exchange Commission (SEC) has emerged as an active federal regulator in this arena. In September 2017, the SEC announced creation of a Cyber Unit housed within the SEC’s Enforcement Division that targets cyber-related misconduct, including hacking to obtain material nonpublic information, intrusions into retail brokerage accounts, and cyber-related threats to trading platforms and other critical market infrastructure.  A little over a year prior to this announcement, Morgan Stanley paid $1 million to settle charges based on the SEC’s findings that the institution had failed to adopt reasonable policies and procedures to protect confidential customer information, which led to the hacking of data from approximately 730,000 customer accounts.

Most recently, in February 2018, the SEC issued a statement and interpretive guidance (2018 Guidance), applicable to public operating companies, that outlines the SEC’s views regarding disclosure requirements in the context of cybersecurity.  The 2018 Guidance reinforces and expands upon guidance issued in 2011 (2011 Guidance).  The 2018 Guidance also addresses two additional topics: the importance of maintaining cybersecurity policies and procedures; and the relevance of insider trading prohibitions with respect to cybersecurity.  The genesis of the 2018 Guidance is the SEC’s belief that “[g]iven the frequency, magnitude and cost of cybersecurity incidents . . . it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.” 

Guidance on Disclosure Requirements

Like the 2011 Guidance, the 2018 Guidance notes that “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents.” The 2018 Guidance, however, goes on to highlight the specific requirements, set forth in Regulation S-K (17 C.F.R. Part 229) and Regulation S-X (17 C.F.R. Part 210), that may trigger the need for cyber-related disclosures in registration statements and in periodic and current reports.  Those requirements and circumstances, which are discussed in much greater detail in the 2018 Guidance, include:

  • Disclosure of Risk Factors – Companies are required to disclose the most significant factors that make investing in a company’s securities risky, and the 2018 Guidance states that cybersecurity risks and incidents could rank among a company’s most significant risk factors. The 2018 Guidance includes a series of issues a company should consider in determining whether cybersecurity risks or incidents should be disclosed as risk factors, including the occurrence of prior cybersecurity incidents and the probability of future incidents.  The 2018 Guidance notes that, in order to place cybersecurity risks in context and effectively communicate those risks to investors, a company may be required to disclose past or ongoing incidents.
  • Disclosure of Material Effects on Financial Condition – As part of management’s discussion and analysis (MD&A) of financial condition and results of operations, companies are required to highlight events, trends, or uncertainties that are reasonably likely to have a material effect on the company’s financial condition or that would render already reported financial information not necessarily indicative of future results or condition. The 2018 Guidance notes that the direct costs of cybersecurity measures and incidents, as well as costs associated with cybersecurity issues (e.g., loss of intellectual property, responding to regulatory investigations, preparing for and complying with cybersecurity legislation), may be appropriate to include in a company disclosure of MD&A.
  • Disclosure in Description of Business – The 2018 Guidance observes that companies may need to disclose cybersecurity incidents and risks as part of the required discussion of products, services, relationships with customers and suppliers, and competitive conditions, to the extent such incidents and/or risks impact those business components.
  • Disclosure of Legal Proceedings – Companies are required to disclose information regarding material pending legal proceedings, which the 2018 Guidance notes may encompass proceedings related to cybersecurity issues (e.g., litigation by customers related to a cybersecurity breach involving theft of confidential customer information).
  • Financial Statement Disclosures – The 2018 Guidance states that cybersecurity incidents may impact a company’s financial statements in a variety of forms, including expenses related to investigation of cyber-attacks and breach notifications, loss of revenue, and breach of contract claims.
  • Disclosure of Board Oversight of Risk – Companies are required to disclose the extent to which their boards of directors are involved in risk oversight, and the 2018 Guidance indicates that this disclosure should include a discussion of a board’s role in managing cybersecurity risks, to the extent such risks are material to a company’s business.

Policies and Procedures

The 2018 Guidance goes beyond the 2011 Guidance in emphasizing the critical importance of cybersecurity risk management policies and procedures as part of a company’s enterprise-wide risk management, as well as a company’s compliance with federal securities laws related to internal controls and procedures.  The 2018 Guidance encourages the adoption of comprehensive cybersecurity policies and procedures and the regular compliance assessment of such policies and procedures, including assessment of controls and procedures for processing and reporting relevant cybersecurity information for disclosure consideration.  Noting the requirement for a company’s principal executive officer and financial officer to make certifications regarding the effectiveness of disclosure controls and procedures, the 2018 Guidance emphasizes that such certifications should account for the adequacy of controls and procedures for identifying and analyzing cybersecurity risks and incidents.

Insider Trading

Finally, the 2018 Guidance emphasizes the applicability of insider trading laws in the context of cybersecurity risks and incidents.  Specifically, the 2018 Guidance indicates that information regarding cybersecurity risks and incidents may constitute material nonpublic information, such that the trading of company securities by directors, officers, and other corporate insiders on the basis of such information would violate the antifraud provisions of federal securities laws. 

Relatedly, the 2018 Guidance also highlights the obligations of companies under Regulation FD (17 C.F.R. § 243.100), which requires companies to publicly disclose the selective disclosure of material nonpublic information to certain persons listed under the regulation.  The 2018 Guidance simply notes that the disclosure of material nonpublic information related to cybersecurity would be captured by the requirements of Regulation FD.

SEC Enforcement for Failure to Disclose

Just two months after issuing the 2018 Guidance, the SEC announced the payment of a $35 million penalty by Altaba, Inc., the successor to Yahoo, Inc., to settle charges that Yahoo misled investors by failing to disclose a massive hack of personal data for millions of customers.  Specifically, the SEC’s order stated that Russian hackers stole personal information for Yahoo customers in December 2014 and that, despite learning of the breach within days of the intrusion, Yahoo failed to disclose the breach in quarterly and annual reports over the subsequent two years.  In addition to finding that Yahoo had breached its disclosure obligations, the SEC found that Yahoo had failed to maintain reasonable disclosure controls and procedures.  In announcing the payment of the $35 million penalty, the SEC cited the adoption of the 2018 Guidance earlier this year.

*****

In the current environment of deregulation, the regulatory focus on cybersecurity shows no signs of abating.  Notably, the Economic Growth, Regulatory Relief, and Consumer Protection Act signed by President Trump on May 24, 2018, which modifies or eliminates certain requirements under the Dodd-Frank Act, includes a requirement for the Secretary of the Treasury to submit to Congress a report within one year of the bill’s enactment on the risks of cyber threats to financial institutions.  Among other information, the report must include an analysis of how the Federal banking agencies and the SEC are addressing cybersecurity risks and recommendations on whether any of the agencies require additional measures and resources to address such risks.  The report may further bolster the sustained focus on cybersecurity by the SEC, and it may prompt the Federal banking agencies to issue further guidance and/or revisit enhanced cyber risk management standards for large entities and their service providers, which were presented in an advance notice of proposed rulemaking in October 2016 but never advanced further by the agencies.

We will be monitoring future activity by the SEC (and other Federal regulators) with respect to cybersecurity, including SEC enforcement actions that may further define the agency’s views regarding disclosure requirements.  If you have questions about your company’s cybersecurity disclosure obligations, you can contact any member of our Privacy & Data Security practice group for more information.

Discussion

No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio
  • Carol Bowen:  View Carol Bowen's Bio View Carol Bowen’s LinkedIn profile

  • Subscribe to Blog via Email

    Follow MVA

    Facebooktwitterlinkedinrss

    Blog Topics

    Archives

    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.

    Disclaimer

    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.


    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)