SEC releases new cybersecurity guidance for publicly traded companies

By John DeMarzo, Risk Advisory Services Associate | Cybersecurity Services Team

In the wake of data breaches occurring at companies such as Yahoo in 2014 (3 billion user accounts compromised) and Equifax in 2017 (143 million consumers’ records stolen), the SEC has released updated cybersecurity guidance for publicly traded companies.

“The guidance is meant to assist public companies in preparing disclosures about cybersecurity risks and incidents,” the SEC said in a statement.

New and Reinforced Disclosure Requirements

Prior to this latest release, the SEC had not released cyber-related guidance since 2011. Back then, it was only suggested that businesses disclose information security risks and incidents to investors. However, due to the severity of recent data breaches, the SEC deemed additional guidance necessary.

The suggestions from 2011 have now become requirements. With this new interpretation, “risk factor” disclosures must include cybersecurity risks. Additionally, the SEC requires disclosure of material cyber incidents and the emergence of new risks, whether or not a cyber incident has occurred, via form 8-K. Non-US firms would use different forms, but the equivalent disclosures are required for non-US issuers as well.

The SEC also urged organizations not to disclose too much information about their cyber defenses, so as to not create a new risk. “We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident,” the guidance reads. Determining what to disclose and what not to disclose should be part of the disclosure control process every SEC filer should already have in place.

Boards of directors are also on the hook. Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require disclosure of the board’s role in “risk oversight.” As a result of this interpretation, these requirements now include cybersecurity risk.  Board members would be wise to freshen up on high-level cyber topics so they can serve appropriately in this oversight role.

Insider Trading

After the Equifax breach, several Equifax executives sold almost $2 million in Equifax stock after the breach, but before the disclosure, raising the specter of insider trading. In fact, the Department of Justice reportedly opened an investigation into the trades. As a consequence, the new SEC requirements encourages companies to have policies and procedures in place to prevent insiders from trading against non-public cyber related information before it is disclosed.

Compliance Burden

This newest requirement is just one of the many cybersecurity requirements an organization may need to adhere to.

“Although this is the first time we’ve heard from the SEC recently, other regulatory bodies have been levying requirements around the country,” said Chris Moschella, Keiter’s Cybersecurity Services team leader. “Other regulations are constantly being issued and updated from industry specific groups, regulators, and even states,” Moschella said, “which creates complex and costly compliance requirements for many companies.”

However, this latest requirement, on its own, is not likely to create significant burdens for SEC filers.

Cyber risk is a lamentable reality, but it is reality. We are working hard every day to protect the data entrusted to us by our clients, and to provide cybersecurity resources and services to help our clients stay secure. Organizational leaders looking to understand the basic cybersecurity principles that will help keep them safe should consider starting with Keiter’s whitepaper.

Interested in learning more about Keiter’s cybersecurity services? Contact our Cybersecurity Team.  We are here to help.

Resources:

• SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities
• Five Reasons Why Your IT Outsourcer Isn’t Keeping You Cyber Secure (and neither is your internal IT team)
• Infosecstack: Your Collection of Free Cybersecurity Resources
• Cybersecurity: So You Think You Have A Breach
• Cybersecurity: Educate and Motivate Staff to Be Careful
• Access all of our Cybersecurity Resources