Policies and procedures
Disclosure controls and procedures
The release states that “[c]rucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate time frame are disclosure controls and procedures that provide an appropriate method of discerning the impact that [cybersecurity risks and incidents] may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
The release adds that effective disclosure controls and procedures are “best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
Disclosure controls and procedures, therefore, should provide an “early warning system” to enable companies to determine whether — with respect to any matter, including a cybersecurity matter — they need to file a current report on Form 8-K, make disclosure in any other SEC filing, issue a press release or suspend trading in its stock.
Disclosure controls and procedures should provide for a clear line of vertical organizational reporting up the chain to senior management of any matter that could implicate disclosure, compliance or any other important business matters.
Boards should discuss with management whether their companies’ disclosure controls and procedures are appropriately designed to capture and address cybersecurity matters, including to help ensure that relevant information about cybersecurity risks and incidents is accumulated and communicated to senior management and the board to allow timely decisions about what disclosure may be appropriate or required under the circumstances.
Codes of ethics and insider trading policies
The release reminds companies that information about cybersecurity risks and incidents may be material nonpublic information. As such, the SEC encourages companies to consider how their codes of ethics and insider trading policies take into account and look to prevent trading on the basis of material nonpublic information regarding cybersecurity risks and incidents.
Significantly, the SEC states “that companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
Boards, or the appropriate board committee, should discuss with management whether the company’s insider trading policy and code of ethics adequately explain that cybersecurity matters may be material and thus required to be disclosed, and that, prior to disclosure of material information about an existing cybersecurity matter, prohibitions will be imposed on trading in the company’s securities.