Recognizing the frequency, magnitude and cost of cybersecurity incidents, the Securities and Exchange Commission (SEC) released its guidance on public company cybersecurity disclosures on Feb. 21, 2018. The guidance expands upon the 2011 cybersecurity disclosure guidance issued by the staff of the SEC Division of Corporate Finance. The new guidance stresses the importance of the board’s role in cybersecurity risk management, the need for cybersecurity policies and procedures, considerations for insider trading prohibitions and Regulation Fair Disclosure (FD) and selective disclosure prohibitions in the cybersecurity context.
The new guidance provides further clarification to help public companies better understand and assess their disclosure obligations related to cybersecurity incidents. Companies can use the guidance to ensure their public disclosures and related controls meet regulatory and investor expectations.
The newly issued guidance instructs public companies to:
While this release does not impose new standards on public companies with regard to cybersecurity disclosure, it builds upon previous disclosure guidance by:
Companies that have adopted the 2011 guidance should consider the need to re-evaluate their cybersecurity-related disclosures in light of the additional guidance provided by the SEC. All companies should carefully consider taking action to address the following:
Assess cybersecurity governance structure – Ensure cybersecurity risk management is not the exclusive responsibility of IT. Company officers and the board of directors should have a thorough understanding of cybersecurity risks that could have an impact on their organization, while also recognizing their oversight role in managing these risks.
Review and refresh public disclosure controls and procedures – Verify existing controls and procedures and evaluate their effectiveness in identifying and addressing cybersecurity risks and incidents. This should also include a clear path of escalation consistent with the company’s incident response plan when an identified cybersecurity risk occurs and analyzing its impact. Make revisions as necessary to best prepare for the future.
Evaluate insider trading policies and procedures – Consider how the company’s code of ethics and insider trading policies prevent trading on the basis of material, non-public information related to cybersecurity risks and incidents. Update these policies as necessary to proactively mitigate the substantial costs associated with improper trading during the period following an incident and prior to disclosure.
For more information, contact Baker Tilly’s Cybersecurity and IT Risk practice. You can also download our ebook “Roadmap to Building a Sustainable Cybersecurity Management Program” or learn more about our cybersecurity services.