INSIGHT: SEC Disclosure Obligations and Strategies on Cybersecurity: Knowing How and When to Disclose Cyber-Incidents to Minimize Damage

The number of cybersecurity-related disclosures that companies must provide to markets and investors has steadily increased over the past five years. Of all the perils associated with any cyberattack, a poorly-timed disclosure with insufficient information—or the lack of any disclosure when one should have been made—can sometimes cause more damage than the attack itself. In February 2018, the Securities and Exchange Commission unanimously voted to approve a “Statement and Guidance on Public Company Cybersecurity Disclosures” (2018 Guidance), 83 FR 8166, to aid public companies preparing disclosures about cybersecurity incidents, policies, procedures, and risks. The 2018 Guidance expands upon disclosure guidance first issued in 2011; this, among other competing disclosure obligations of not only state law, but European law as well, creates a hodgepodge of requirements that must be navigated carefully by counsel.

2011 Disclosure Guidance

The SEC’s Division of Corporate Finance first issued guidance on disclosure obligations in October 2011. See “CF Disclosure Guidance: Topic No. 2—Cybersecurity” (2011 Guidance). While no disclosure requirements at that time explicitly referred to cybersecurity risks and cyber incidents, the 2011 Guidance clarified that companies may nevertheless be obliged to disclose “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” The Guidance offered the following example:

“[I]f material intellectual property is stolen in a cyberattack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material.”

In the eyes of many companies, these disclosure recommendations have become “mandatory,” especially since the SEC has issued penalties for neglecting their import and the need for timely disclosure. See, e.g., Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach (SEC Press Release, Apr. 24, 2018).

2018 Cybersecurity Guidance

The SEC issued its 2018 Guidance to summarize the guidelines concerning cybersecurity disclosure requirements, to reinforce and expand upon the 2011 Guidance, and to address two topics not previously addressed: (1) the significance of cybersecurity risk management procedures and policies, and (2) insider trading restrictions concerning cybersecurity.

The 2018 Guidance emphasizes the significance of policies and procedures concerning cybersecurity disclosures and the need to elevate cyber-risks and incidents to senior management so that disclosures can be made in a timely fashion:

“In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” 83 FR at 8168-69.

As for the escalation of incidents, the 2018 Guidance says: “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications….” 83 FR at 8171.

The 2018 Guidance also provides that directors and officers (along with anyone else with the responsibility of developing and monitoring disclosure procedures and controls) must be updated on cybersecurity risks and incidents. Indeed, the SEC recommends that companies include a description of how the board administers its risk oversight function. The SEC notes: “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk. In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” 83 FR at 8170.

The SEC’s focus on the importance of directors overseeing cybersecurity is not new. Former Commissioner Luis Aguilar gave a speech in 2014 wherein he stated: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk—and there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight.” See “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” (Speech by SEC Commissioner Luis A. Aguilar, Jun. 10, 2014).

The 2018 Guidance also notes that corporate insiders (i.e., directors and officers) must not trade a public company’s securities while having private cyber-incident information not yet disclosed to the public. According to the guidance, public companies must have procedures and policies in place to prevent insiders from trading before a breach is disclosed to the public and to facilitate the fastest possible disclosure of material nonpublic information relating to a breach.

How and Where Disclosures Should Be Made

Companies should generally contemplate the materiality of cybersecurity incidents and risks when preparing the disclosure mandated in the Securities Act of 1933 (“Securities Act”) and the Securities Exchange Act of 1934 (“Exchange Act”), as well as the periodic and updated reports required under the Exchange Act. Requisite forms usually concern the disclosure mandates of Regulation S–K and Regulation S–X. These mandates don’t specifically refer to cyber-risks/incidents, but they can apply to cyber-risks/incidents given the appropriate situation, as stated in the 2018 Guidance. These reports include annual reports on Form 10–K and quarterly reports on Form 10–Q.

Depending upon the circumstances of the cybersecurity incident, reporting under Form 8–K of the Exchange Act may also be warranted. This is a “real-time reporting requirement” that corporations must use when certain corporate events take place. In light of the SEC’s 2018 Guidance, and considering the severity and materiality of the cyber incident in question, companies should thoughtfully consider whether a sophisticated cybersecurity attack involving the significant loss of customer, credit card, or healthcare information might warrant the filing of a Form 8–K in addition to other required disclosures.

In its 2018 Guidance, the SEC urges companies to continue using Form 8–K or 6–K to disclose material information promptly even if it is not “all” of the information relating to the breach. The SEC believes that this will minimize the risk of “selective disclosure,” as well as the risk of trading in securities with material, non-public information. As stated in the 2018 Guidance, companies must disclose any additional material information to make the original mandated statement clear and not misleading. Omitted information is material if there is a substantial likelihood that a reasonable investor would deem the information a deciding factor when making an investment decision.

Disclosure Obligations Beyond the SEC

Decisions on how and when to disclose become more complex when an organization is subject to different disclosure obligations in multiple jurisdictions.

In the international context, the European Union’s General Data Protection Regulation (GDPR) generally requires disclosure of a personal data breach within 72 hours after having become “aware” of it. U.S. securities laws do not mandate a hard deadline, but rather allow corporate officials to use their business judgment regarding the materiality of information potentially subject to disclosure. And while the SEC doesn’t mandate companies to disclose information as quickly as possible, they seemingly encourage it, as evidenced by the 2018 Guidance.

Stateside, companies must be aware of the labyrinth of breach notification statutes now in effect in all 50 states, the District of Columbia, and the territories of Guam, Puerto Rico, and the U.S. Virgin Islands. Companies may also be subject to sector-specific cybersecurity and privacy laws/regulations that require disclosures of cybersecurity incidents, such as the New York Department of Financial Services Cybersecurity Regulation, the Gramm-Leach-Bliley Act Financial Privacy Rule, the Payment Card Industry Data Security Standard, and the HIPAA Privacy Rule.

How do companies balance these competing and sometimes conflicting disclosure obligations? Here are some considerations to take into account:

• Pay attention to your primary “regulator” in the first instance. If you are a public company, it’s the SEC. A robust road map of what is expected now exists to be followed. Is the breach material? If so, there are certain requirements like disclosing what you know as soon as possible. While this may not require rushing to make a statement, the 2018 Guidance makes clear that a statement should be made as soon as possible.
• Your initial notification might not suffice under state notification guidelines. This is important. Federal notifications, for the most part, are left to the drafting of the company that was materially breached. Language can vary. But note that most states have their own statutory requirements that ask for additional disclosures, like the number of customers affected in each state, and remedial measures taken. Disclosure counsel should understand these subtleties and coordinate the federal and state disclosures.
• Pay attention to time deadlines. This practice point can have serious implications. Breaches can be obvious, perhaps arising from a previously disclosed vulnerability or software flaw. Sometimes the company knows it has been breached beforehand, but there may be times when a company does not know. The New York Department of Financial Services requires notice to be given 72 hours after the company becomes aware of the breach. The GDPR has the same guidelines. Under SEC law, companies have four days to file a Form 8–K in which to disclose a “material other event” to shareholders and the markets. This is a limited amount of time given all that rides on the disclosures in question for a public company, its investors, and customers.

Conclusion

When the SEC issued guidance on cybersecurity disclosures in 2011, the disclosure of cybersecurity risks and incidents was in its infancy. The world has changed significantly since then, with sophisticated cyberattacks by nation-states and cyber criminals happening frequently, affecting all sorts of companies and industry sectors. While the SEC’s 2018 Guidance attempts to account for those changes, competing disclosure requirements both domestically and internationally present challenges in challenging times. By adopting these strategies, companies may be able to minimize the harmful impact of any cyberattack.

_________

Paul Ferrillo is a Shareholder in the New York City office of Greenberg Traurig. He focuses on cybersecurity corporate governance issues, complex securities and business litigation, and internal investigations. He thanks Louis Faiella IV, a summer intern, for his substantial assistance in the preparation of this article.