On February 21, 2018, the Securities and Exchange Commission (SEC) “voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.”1 The SEC did not wait long for the public to absorb this guidance. On April 24, 2018, the Securities and Exchange Commission “announced that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”2 In the space of 2 months, the SEC went from “Companies also may have disclosure obligations” for breaches to paying $35 million for failure to disclose.3 When the expectations change so quickly, it is important for companies to think strategically not only about where enforcement action has been but where it is going. It is now clear that the SEC is operating in the cyber enforcement space and that they expect fast answers. What, however do they want?
Overview of the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”
The thesis statement for the SEC’s guidance occurs on the first page: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” According to the SEC, secure networks and technology are “analogous to the importance of electricity and other forms of power in the past century."4 Adequate security is therefore critical.
The SEC then takes the time to articulate that companies that fail to have adequate cybersecurity may suffer “substantial costs” and “negative consequences.”5 These costs include: remediation costs; the costs of making changes to controls and procedures; and the cost of regulatory actions.6 While the SEC does not set forth specific procedures, it expressly states that issuers must have established disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”7 These controls and procedures for cyber risk must be certified and disclosed in the company’s regular financial statements.8
Cyber Risk Controls and Procedures
The responsibility for developing cyber risk controls and procedures is squarely upon the company’s directors and officers.9 While these disclosures need not be detailed, they must be made within the existing framework for reporting any other material event.10 Accordingly, the same Exchange Act Rules 13a-15 and 15d-15 require disclosure of controls and procedures, tested by company management, for cyber risks.
The materiality of cyber risks or incidents depends on the importance of the information in question. The range of harm from the loss of control over the information is driven by potential damage to: the company’s reputation, financial performance; customer and vendor relationships; and the possibility of litigation or regulatory investigations or actions.11
In disclosing these risks, the Commission states that companies should describe management’s controls and procedures, not the technical details of the company’s networks. These controls and procedures should focus on how issues are communicated to the board. While the details of these controls and procedures are left unsaid by the SEC, they do state that the disclosure should be tailored to the specific company, industry, risks, and incidents.12 Generic, catch-all disclosures will not be sufficient.
Breach Disclosures Must Be Made on a Rolling Basis
The Commission expressly expects that both internal and external (law enforcement) investigations may affect the ability to fully disclose the breach.13 However, the SEC envisions quarterly corrective disclosures in lock step with those investigations.14 Corporate boards and directors are admonished that they “should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.”15
The message: the clock is ticking
In light of the Yahoo! settlement, corporate boards and directors should adhere to a quarterly update schedule for the disclosure of material cyber risks. In anticipation of each quarterly filing, the controls and procedures of the company should encourage a searching cyber materiality analysis. Even if the risks have already been disclosed, the company’s analysis should include analysis of supplemental, clarifying disclosures. More information about the SEC’s approach will likely come soon. For now, any emerging cyber risk is on a 3-month clock.