On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) published long-awaited cybersecurity interpretive guidance (the “Guidance”). The Guidance marks the first time that the five SEC commissioners, as opposed to agency staff, have provided guidance to U.S. public companies with regard to their cybersecurity disclosure and compliance obligations.
Because the Administrative Procedure Act still requires public notice and comment for any rulemaking, the SEC cannot legally use interpretive guidance to announce new law or policy; therefore, the Guidance is evolutionary, rather revolutionary. Still, it introduces several key topics for public companies, and builds on prior interpretive releases issued by agency staff in the past.
First, the Guidance reiterates public companies’ obligation to disclose material information to investors, particularly when that information concerns cybersecurity risks or incidents. Public companies may be required to make such disclosures in periodic reports in the context of (1) risk factors; (2) management’s discussion and analysis of financial results; (3) the description of the company’s business; (4) material legal proceedings; (5) financial statements; and (6) with respect to board risk oversight. Next, the Guidance addresses two topics not previously addressed by agency staff: the importance of cybersecurity policies and procedures in the context of disclosure controls, and the application of insider trading prohibitions in the cybersecurity context.
The Guidance emphasizes that public companies are not expected to publicly disclose specific, technical information about their cybersecurity systems, nor are they required to disclose potential system vulnerabilities in such detail as to empower threat actors to gain unauthorized access. Nevertheless, the SEC noted that while it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding an incident, the mere existence of an ongoing internal or external investigation does not provide a basis for avoiding disclosures of a material cybersecurity incident. The guidance concludes with a reminder that public companies are prohibited in many circumstances from making selective disclosure about cybersecurity matters under SEC Regulation Fair Disclosure.
The Guidance is perhaps most notable for the issues it does not address. In a statement issued coincident with the release of the new guidance, Commissioner Kara Stein expressed disappointment that the Guidance did not go further to highlight four areas where she would have liked to see the SEC seek public comment:
- rules that address improvements to the board’s risk management framework related to cyber risks and threats;
- minimum standards to protect investors’ personally identifiable information, and whether such standards should be required for key market participants, such as broker-dealers, investment advisers and transfer agents;
- rules that would require a public company to provide notice to investors (e.g., a Current Report on Form 8-K) in an appropriate time frame following a cyberattack, and to provide useful disclosure to investors without harming the company competitively; and
- rules that are more programmatic and that would require a public company to develop and implement cybersecurity-related policies and procedures beyond basic disclosure.
Given the intense public and political interest in cybersecurity disclosure by public companies, we anticipate that this latest guidance will not be the SEC’s final word on this critical issue.