SEC releases guidance on public company cybersecurity disclosures

SEC releases guidance on public company cybersecurity disclosures

Organizations should carefully evaluate their disclosure obligations now; guidance focuses on preparing disclosures about cybersecurity risks and incidents

Recognizing the frequency, magnitude and cost of cybersecurity incidents, the Securities and Exchange Commission (SEC) released its guidance on public company cybersecurity disclosures on Feb. 21, 2018. The guidance expands upon the 2011 cybersecurity disclosure guidance issued by the staff of the SEC Division of Corporate Finance. The new guidance stresses the importance of the board’s role in cybersecurity risk management, the need for cybersecurity policies and procedures, considerations for insider trading prohibitions and Regulation Fair Disclosure (FD) and selective disclosure prohibitions in the cybersecurity context.

Why this is important

The new guidance provides further clarification to help public companies better understand and assess their disclosure obligations related to cybersecurity incidents. Companies can use the guidance to ensure their public disclosures and related controls meet regulatory and investor expectations.

What you need to know

The newly issued guidance instructs public companies to:

  • Inform investors in management’s discussion and analysis (MD&A) related to material cybersecurity risks and incidents, including the actual or potential costs and consequences, in compliance with federal securities laws. MD&A disclosures should address cybersecurity efforts, costs associated with cybersecurity incidents, and consequences that have material effect on operations, liquidity and results of operations that would be indicative of changes in financial condition.
  • Implement and enforce comprehensive disclosure policies and procedures to make accurate and timely cybersecurity disclosures.
  • Defend against insider trading risks and selective disclosure in the context of cybersecurity incidents from the time of discovery of a cyber event to public disclosure. Incidents requiring disclosure are those that affect a company’s product, services, and relationships with client, vendors, or alter their competitive advantage.

How this expands upon previous disclosure guidance

While this release does not impose new standards on public companies with regard to cybersecurity disclosure, it builds upon previous disclosure guidance by:

  • Clarifying that disclosure controls and procedures should enable organizations to identify cybersecurity risks and incidents, assess their implications and make timely disclosures.
  • Emphasizing the importance of maintaining insider trading and Regulation FD policies that address cybersecurity risks to material, non-public information.
  • Addressing how the board of directors oversees cybersecurity risk management.
  • Clarifying the effect of cybersecurity incidents on reportable segments in management’s discussion and analysis.
  • Explaining how materiality, along with many laws, rules, regulations and SEC form requirements must be considered when preparing cybersecurity disclosures.

What you should do now

Companies that have adopted the 2011 guidance should consider the need to re-evaluate their cybersecurity-related disclosures in light of the additional guidance provided by the SEC. All companies should carefully consider taking action to address the following:

Assess cybersecurity governance structure – Ensure cybersecurity risk management is not the exclusive responsibility of IT. Company officers and the board of directors should have a thorough understanding of cybersecurity risks that could have an impact on their organization, while also recognizing their oversight role in managing these risks.

Review and refresh public disclosure controls and procedures – Verify existing controls and procedures and evaluate their effectiveness in identifying and addressing cybersecurity risks and incidents. This should also include a clear path of escalation consistent with the company’s incident response plan when an identified cybersecurity risk occurs and analyzing its impact. Make revisions as necessary to best prepare for the future.

Evaluate insider trading policies and procedures – Consider how the company’s code of ethics and insider trading policies prevent trading on the basis of material, non-public information related to cybersecurity risks and incidents. Update these policies as necessary to proactively mitigate the substantial costs associated with improper trading during the period following an incident and prior to disclosure.

Connect with us.

For more information, contact Baker Tilly’s cybersecurity and IT risk practice. You can also download our ebook “Roadmap to Building a Sustainable Cybersecurity Management Program” or learn more about our cybersecurity services.

Man works on computer
Next up

How materiality is established in an audit or a review