Revisions to insider trading policies and codes of ethics may be appropriate. In particular, in view of the SEC’s statement regarding avoiding the appearance of improper trading, careful consideration should be given to policies and procedures regarding trading windows and blackout periods, and possibly on Rule 10b5-1 trading programs and plans.
Regulation FD policies
The SEC reminds companies that Regulation FD prohibits companies and persons acting on their behalf (often noted as “authorized spokespersons” in a company’s Regulation FD policy) from selectively disclosing material nonpublic information about cybersecurity risks and incidents to Regulation FD enumerated persons.
Boards should discuss with management whether the company’s Regulation FD policy specifically identifies cybersecurity risks and incidents as potentially being material nonpublic information subject to the policy.
Board risk oversight
The guideline reiterates a prior SEC statement that “disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.” In this regard, the SEC states that companies “must [disclose] how the board administers its risk oversight function.” The release further provides that companies should disclose:
- The company’s cybersecurity risk management program
- The board’s role in overseeing the management of material cybersecurity risks
- How the board engages with management on cybersecurity issues
To address this guidance, boards should review their meeting calendars and agendas to determine whether they permit adequate frequency and sufficient time as well as information appropriate to oversee cybersecurity risks and discuss cybersecurity matters with management, including how cybersecurity risks are identified and assessed in light of ongoing and increasingly complex cybersecurity threats.
Boards should also discuss with management whether the company’s enterprise risk management program and disclosure controls and procedures are appropriately interlinked, scaled and flexible to serve their purposes with respect to identification, handling and disclosure of cybersecurity risks and incidents.
The release updates and reinforces the 2011 guidance by reminding companies that the SEC’s disclosure requirements apply to cybersecurity risks and incidents that could have a material impact on the company, including:
- Risk factors
- Management’s discussion and analysis of financial condition and results of operations
- Business description
- Legal proceedings
- Financial statement disclosures
The SEC expects companies to disclose material cybersecurity risks and incidents that are material to investors, including the financial, legal or reputational consequences. In this regard, the SEC also reiterates that companies are not expected to “publicly disclose specific, technical information about their cybersecurity systems, the related networks or devices, the potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident,” or other details that would provide a road map for anyone seeking to penetrate a company’s security protections.
The SEC will continue to monitor cybersecurity disclosures carefully and consider whether additional actions are needed. The guidance became effective on February 26, 2018 upon publication in the Federal Register.
Questions for the board to consider
- Do the company’s disclosure controls and procedures provide an “early warning system” that enables the company to identify, assess, address and make timely disclosures about cybersecurity risks and incidents?
- Do the company’s disclosure controls and procedures, or other relevant policies and procedures, include escalation criteria and protocols that facilitate timely communications to the board on cybersecurity-related risk events or incidents?
- Has the board considered an independent assessment of the company’s cybersecurity risk management process and related reporting to help ensure the processes are appropriate and sound?
- Do the company’s code of ethics, Regulation FD policy, insider trading policy and procedures for determining trading windows and blackout periods appropriately and clearly address cybersecurity risks and incidents? If a cybersecurity risk or incident occurred, can management determine whether or when to prohibit trading in the company’s securities or to prevent authorized spokespersons from selectively disclosing information?
- Does the board understand how the cybersecurity risk management program is integrated into the company’s overall enterprise risk management program, and are the reporting lines for compliance personnel (e.g., Chief Information Security Officer) who have responsibility for cybersecurity risk oversight appropriate?
- Does the board have the right directors, committee structure and access to information to oversee cybersecurity matters? Has the company considered whether it should enhance its disclosures about how cybersecurity fits into the board’s risk oversight function and how the board is engaging with management on this issue?
- Does the company provide appropriate disclosures about cybersecurity risks and incidents consistent with the new guidance?