SEC Issues Interpretive Guidance on Cybersecurity Disclosures

By Mary Crotty, freelance writer for banks and third-party service providers

Despite our best efforts, cyber attacks continue to plague U.S. businesses, including those in the financial services industry. Even large and globally sophisticated entities fall prey, as witnessed by the Equifax breach last summer. Just as advancements in science often require new ethical standards, the latest developments in and incidents of cybercrime often result in new or updated regulatory guidance.

Although the Interpretive Guidance on cybersecurity posted in the Federal Register yesterday by the Securities and Exchange Commission (SEC) does not mention the Equifax breach, its focus on disclosure requirements and director/officer/insider ethics suggest that last summer’s extensive and embarrassing incident at one of the three major credit reporting agencies may have influenced the content and timing of this guidance.

Setting the Stage

In explaining its reason for issuing the February 26, 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC notes that, “In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.”

It goes on to note that, “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” While this reliance on data and technology spurs growth and opportunity in our world, it also exposes organizations to the risk of harm to or theft of both. The preventative and mitigation efforts used to fight cybercrime extol a heavy cost.

Therefore, “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack.”

Expansion of 2011 Guidance

This latest guidance expands upon original SEC guidance on cybersecurity disclosures issued in October 2011. The guidance published and effective as of February 26, 2018,  discusses two topics not specifically covered in that 2011 guidance:

1. Disclosure Policies and Procedures: “This release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities law.”
2. Director/Officer/Insider Ethics: “We also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

More from the SEC Cybersecurity Disclosure Guidance

In addition, the guidance indicates the following:

• The SEC understands that not all information may be initially available or that an investigation may still be in process, “However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
• Companies bound by this guidance are required to correct previous disclosures as needed due to additional or different information coming to light.
• There is a list of factors that can help a company evaluate its cybersecurity risk for disclosure purposes, including, but not limited to, the severity and frequency of past cyber incidents, the probability and potential magnitude of future occurences, and the adequacy of preventative measures.
• The financial impact of cybersecurity incidents and defense measures must be “incorporated into financial statements on a timely basis.”

Cybersecurity Should Be a Priority for All Businesses

Public companies regulated by the SEC are not the only ones at material risk from cybercrime. In today’s world, all companies are at risk, including community banks, credit unions, regional banks, and national and multi-national financial institutions. The cost of defending against cybercrime maybe be high, but the cost of not doing so is potentially much higher.