6 minute read 1 Mar 2018
IT technician examining panel server room

How the SEC’s guidance on cybersecurity impacts financial services boards

Authors

Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.

6 minute read 1 Mar 2018

SEC guidance advises companies to proactively maintain procedures to swiftly inform the public of a cybersecurity incident. 

On February 21, 2018, the Securities and Exchange Commission (SEC) unanimously approved the issuance of interpretive guidance regarding public companies’ disclosure obligations under existing law regarding cybersecurity risk and incidents. This guidance is especially important given that a recent US Council of Economic Advisers report highlighted that, of more than 1,900 breaches reported in 2016, almost 25% were in the financial services industry.1

The new guidance carries more weight because it was issued by the SEC itself and goes beyond the 2011 Guidance by addressing the importance of insider trading prohibitions and the application of disclosure controls and procedures to cybersecurity risks and incidents, including:

  • Stressing the importance of maintaining “comprehensive policies and procedures related to cybersecurity risks and incidents,” in particular as incorporated into a company’s disclosure controls and procedures
  • Reminding companies and their directors, officers and other corporate insiders of the laws and rules relating to insider trading and selective disclosure
  • Expanding the existing disclosure guidance to address how the board of directors oversees the management of cybersecurity risk, as well as management’s discussion and analysis of how cybersecurity incidents affected reportable segments
  • Discussing how materiality, as well as the many laws, rules, regulations and SEC form requirements, must be considered when preparing cybersecurity disclosures

Show resources

Board considerations

“Cybersecurity risks pose grave threats to our investors, our capital markets, and our country,” states the SEC in the release. It continues: “[a]s companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased. ... Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

We observed in our Top priorities for US Boards in 2018 that cybersecurity, along with other technology matters, is a key priority for board focus. Boards need to be aware of the SEC’s new guidance as they continue to manage and enhance their oversight of cybersecurity risks and incidents, as well as company policies and procedures that should specifically address these matters. Financial services boards have a critical role to play in governing cyber risks and have a number of competing issues to grapple with in order to provide effective oversight.

Policies and procedures

Disclosure controls and procedures The release states that “[c]rucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that [cybersecurity risks and incidents] may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”

The release adds that effective disclosure controls and procedures are “best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

Disclosure controls and procedures, therefore, should provide an “early warning system” to enable companies to determine whether — with respect to any matter, including a cybersecurity matter — they need to file a current report on Form 8-K, make a disclosure in any other SEC filing, issue a press release or suspend trading in its stock. Disclosure controls and procedures should provide for a clear line of vertical organizational reporting up the chain to senior management of any matter that could implicate disclosure, compliance or any other important business matters.

Codes of ethics and insider trading policies

The release reminds companies that information about cybersecurity risks and incidents may be material nonpublic information. As such, the SEC encourages companies to consider how their codes of ethics and insider trading policies take into account and look to prevent trading on the basis of material nonpublic information regarding cybersecurity risks and incidents.

Significantly, the SEC states “that companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”

Boards, or the appropriate board committee, should discuss with management whether the company’s insider trading policy and code of ethics adequately explain that cybersecurity matters may be material and thus required to be disclosed, and that, prior to disclosure of material information about an existing cybersecurity matter, prohibitions will be imposed on trading in the company’s securities. Revisions to insider trading policies and codes of ethics may be appropriate. In particular, in view of the SEC’s statement regarding avoiding the appearance of improper trading, careful consideration should be given to policies and procedures regarding trading windows and blackout periods, and possibly on Rule 10b5-1 trading programs and plans.

Regulation FD policies

The release reminds companies that Regulation FD (Fair Disclosure) prohibits companies and persons acting on their behalf (often noted as “authorized spokespersons” in a company’s Regulation FD policy) from selectively disclosing material nonpublic information about cybersecurity risks and incidents to Regulation FD enumerated persons. Boards should discuss with management whether the company’s Regulation FD policy specifically identifies cybersecurity risks and incidents as potentially being material nonpublic information subject to the policy.

Board risk oversight

Boards should also discuss with management whether the company’s enterprise risk management program and disclosure controls and procedures are appropriately interlinked, scaled and flexible to serve their purposes with respect to identification, handling and disclosure of cybersecurity risks and incidents. The manner in which cyber risk is mitigated through cyber insurance is also important.

Disclosures

The release updates and reinforces the 2011 Guidance by reminding companies that the SEC’s disclosure requirements apply to cybersecurity risks and incidents that could have a material impact on the company, including:

  • Risk factors
  • Management’s discussion and analysis of financial condition and results of operations
  • Business description
  • Legal proceedings
  • Financial statement disclosures

The SEC expects companies to disclose material cybersecurity risks and incidents that are material to investors, including the financial, legal or reputational consequences. In this regard, the SEC also reiterates that companies are not expected to “publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident,” or other details that would provide a road map for anyone seeking to penetrate a company’s security protections. 

The SEC will continue to monitor cybersecurity disclosures carefully and consider whether additional actions are needed. The guidance became effective on February 26, 2018, upon publication in the Federal Register.2

    1. The Cost of Malicious Cyber Activity to the U.S. Economy (page 19), The Council of Economic Advisers, February 2018.
    2. Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Federal Register, February 26, 2018

Summary

The SEC release updates and reinforces guidance provided in 2011 by the SEC’s Division of Corporation Finance (2011 Guidance), which provided an overview of specific SEC disclosure obligations that may require companies to discuss cybersecurity risks and cyber incidents. SEC action on cybersecurity matters has been anticipated and, in a statement announcing the guidance, SEC Chair Jay Clayton noted that the SEC “will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.”

About this article

Authors

Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.