“Cybersecurity risks pose grave threats to our investors, our capital markets, and our country,” states the SEC in the release. It continues: “[a]s companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased. ... Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
We observed in our Top priorities for US Boards in 2018 that cybersecurity, along with other technology matters, is a key priority for board focus. Boards need to be aware of the SEC’s new guidance as they continue to manage and enhance their oversight of cybersecurity risks and incidents, as well as company policies and procedures that should specifically address these matters. Financial services boards have a critical role to play in governing cyber risks and have a number of competing issues to grapple with in order to provide effective oversight.
Policies and procedures
Disclosure controls and procedures The release states that “[c]rucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that [cybersecurity risks and incidents] may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
The release adds that effective disclosure controls and procedures are “best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
Disclosure controls and procedures, therefore, should provide an “early warning system” to enable companies to determine whether — with respect to any matter, including a cybersecurity matter — they need to file a current report on Form 8-K, make a disclosure in any other SEC filing, issue a press release or suspend trading in its stock. Disclosure controls and procedures should provide for a clear line of vertical organizational reporting up the chain to senior management of any matter that could implicate disclosure, compliance or any other important business matters.
Codes of ethics and insider trading policies
The release reminds companies that information about cybersecurity risks and incidents may be material nonpublic information. As such, the SEC encourages companies to consider how their codes of ethics and insider trading policies take into account and look to prevent trading on the basis of material nonpublic information regarding cybersecurity risks and incidents.
Significantly, the SEC states “that companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
Boards, or the appropriate board committee, should discuss with management whether the company’s insider trading policy and code of ethics adequately explain that cybersecurity matters may be material and thus required to be disclosed, and that, prior to disclosure of material information about an existing cybersecurity matter, prohibitions will be imposed on trading in the company’s securities. Revisions to insider trading policies and codes of ethics may be appropriate. In particular, in view of the SEC’s statement regarding avoiding the appearance of improper trading, careful consideration should be given to policies and procedures regarding trading windows and blackout periods, and possibly on Rule 10b5-1 trading programs and plans.
Regulation FD policies
The release reminds companies that Regulation FD (Fair Disclosure) prohibits companies and persons acting on their behalf (often noted as “authorized spokespersons” in a company’s Regulation FD policy) from selectively disclosing material nonpublic information about cybersecurity risks and incidents to Regulation FD enumerated persons. Boards should discuss with management whether the company’s Regulation FD policy specifically identifies cybersecurity risks and incidents as potentially being material nonpublic information subject to the policy.
Board risk oversight
Boards should also discuss with management whether the company’s enterprise risk management program and disclosure controls and procedures are appropriately interlinked, scaled and flexible to serve their purposes with respect to identification, handling and disclosure of cybersecurity risks and incidents. The manner in which cyber risk is mitigated through cyber insurance is also important.