The Securities and Exchange Commission recently updated guidance to public companies regarding cybersecurity disclosures and disclosure policies. The Commission also suggested that it may base future insider trading cases on trading ahead of the announcement of material cybersecurity events. To reduce the risk of enforcement actions, public companies should revisit existing cybersecurity disclosures and policies. Consistent with other trends in regulation, the SEC guidance likely will accelerate public reporting of cybersecurity breaches.

Recent SEC Guidance

The guidance issued recently focuses on public company disclosures and related policies and procedures.

• The Commission wants public companies to move beyond boilerplate cybersecurity disclosures to a more individualized, thoughtful review of risks. Those disclosure enhancements are meant to foster more rigorous self-examination of risks and mitigation plans. Boards should be involved in this review.
• The SEC urges near-immediate reporting of cybersecurity events. The guidelines encourage public companies to disclose events on Form 8-K, rather than waiting for quarterly and annual reports.
• The enhancements to disclosure policies and certifications suggest an invitation to audit firms to increase testing in this area.

With these objectives in mind, public companies should: (1) update periodic reports to enhance cybersecurity disclosures; (2) consider reporting breaches on Form 8-K; and (3) revisit disclosure policies and procedures.

Update Periodic Reports

A majority of large public companies currently use risk factor disclosures to highlight cybersecurity risks. In the Commission's view, this approach may be insufficient.

The guidance asks public companies to enhance and tailor risk factor disclosures to account for risks associated with cybersecurity. Public companies should contemplate: (1) the severity and frequency of prior cybersecurity incidents; (2) the probability and magnitude of incidents; (3) steps taken to mitigate the risk, including any limitations on the ability to control these risks; (4) specific aspects of the company's business, operations, suppliers, service providers and industry that carry material risk, as well as the attendant costs and consequences; (5) costs associated with cybersecurity protection, including insurance and service providers; (6) the potential for reputational harm; (7) existing or pending laws or regulations applicable to the company; and (8) potential litigation, investigation and remediation costs associated with cybersecurity events. If an ongoing or past incident affects the evaluation of risk, the issuer may need to disclose the actual events to place the risk disclosures in context.

Beyond risk factors, the Commission asks public companies to enhance disclosure of cybersecurity risks and incidents in other areas of annual reports, quarterly reports and registration statements:

• Management Discussion and Analysis (MD&A)—Public companies should incorporate into MD&A a review of material costs and consequences of cybersecurity or an actual or ongoing event. For companies that have not experienced material cybersecurity incidents, the most pertinent aspect of MD&A is the discussion of events, trends or uncertainties that are reasonably likely to affect operations, liquidity or financial condition. In drafting this disclosure, public companies should address costs associated with cybersecurity events, including the immediate impact, litigation, investigation, remediation, reputational harm, insurance and intellectual property losses. The Commission expects companies to consider the impact on each reportable segment.
• Description of Business—Disclosure may be required in the description of the business when the event or risk materially affects the company's products, services, customer and supplier relationships, or competitive conditions.
• Legal Proceedings—Issuers should disclose material legal proceedings arising from a cybersecurity incident.
• Board Oversight—Issuers should include the management of cybersecurity in the discussion of board oversight. Specifically, the report should discuss the board's role in managing this risk and the process by which it engages senior management.
• Financial Statements—The Commission asks issuers to incorporate cybersecurity incidents into financial reporting and control systems. Cybersecurity events and risks may affect financial statements in several ways. Public companies could incur: (1) expenses in managing the breach; (2) loss of revenue or other assets; (3) costs and liabilities associated with warranties, breach of contract, recalls, indemnification and insurance; and (4) diminished future cash flows and asset impairment. Certain responses to the breach—e.g., customer rebates or discounts in response to the event—could affect the accounting for associated revenue or other items on the company's financial statements. Attention also should be given to the footnotes in the financial statements.

Consider Reporting Breaches on Form 8-K

When a cybersecurity incident does occur, public companies should consider disclosing the incident in a current report on Form 8-K. Absent its relevance to some other triggering event, a cybersecurity event does not, in isolation, require such disclosure. However, the Commission clearly encourages prompt disclosure in this format, in part to avoid potential consequences associated with insider trading or selective disclosure. Also, the Commission notes, companies listed with the New York Stock Exchange or Nasdaq may have obligations to release material news developments prior to the issuance of periodic reports.

Revisit Policies and Procedures

Public companies should revisit four categories of policies and procedures:

• Disclosure Controls and Procedures—Public companies should develop or revisit policies and procedures designed to ensure that the personnel who are responsible for evaluating disclosures within the company are informed of any cybersecurity events in a timely manner. In the Commission's view, the information provided should be over-inclusive: the goal should be to collect information necessary to the evaluation of disclosures. Once the information has been gathered, the policies and procedures should describe how the disclosure determination will be made.
• CEO and CFO Certifications—Certifications of disclosure controls and procedures specifically should account for disclosures of cybersecurity risks and incidents.
• Codes of Ethics and Insider Trading Policies—Public companies should ensure that existing codes of conduct and insider trading policies cover cybersecurity events. For example, a public company might impose a blackout period once a more significant cybersecurity event is identified, as the public reporting decision is being evaluated.
• Regulation FD—Issuers should revisit policies that avoid selective disclosure of material nonpublic information to analysts, broker-dealers, advisers, investment companies and certain shareholders, prior to broader disclosure to all investors.

Policies are living documents that require management and oversight. Public companies should prepare for additional audit interest focused on cybersecurity controls. In turn, auditors should anticipate more SEC scrutiny of audit work in this area.

Insider Trading Risks

The guidance suggests that the Commission may bring insider trading cases based on trading ahead of cybersecurity breach announcements. FINRA and SEC requests probing this area should be treated with care. Counsel can ensure the accuracy of the response and work with the client to identify potential risks for the firm or its personnel. These investigations can impact company personnel and result in unintended exposure even when the company is confident that there was no misconduct.

Approach to Cybersecurity

The recent cybersecurity guidance fits within the broader framework of the SEC response to cybersecurity risks. Broadly speaking, the SEC divides its approach to cybersecurity into three areas:

• Unlawful Market Advantage. The SEC investigates cyber-related misconduct designed to gain some form of unlawful market advantage. Examples include hacking or account intrusions designed to facilitate insider trading or market manipulation.
• Regulated Entities. The SEC also will pursue actions against registered entities—investment advisers, broker-dealers and others—that fail to take appropriate steps to safeguard information or to ensure system integrity. This category focuses on Commission rules, such as Regulations S-P, S-ID, SCI and others. In these cases, the Commission typically focuses on the design and execution of cybersecurity policies and procedures.
• Public Companies. The third area of SEC focus is public company disclosures related to cybersecurity events. For example, a public issuer may need to include cybersecurity risk considerations in its public filings.

As a general matter, the Commission proceeds cautiously in the second and third categories. In part, this hesitancy reflects a desire to foster a cooperative approach to protecting clients, investors, investment advisers and public companies who are the victims of a breach.

That said, cybersecurity continues to garner significant attention. The SEC increasingly feels pressure to ensure that regulated entities and public companies are taking steps to protect investors from cyber threats. As a result, nearly every SEC program is devoting resources to cybersecurity, and public companies, directors and officers, and auditors should anticipate increased enforcement in this area. The Enforcement Division's formation of a national specialized Cyber Unit reflects this emphasis.

Paul Helms, a partner at McDermott Will & Emery, defends clients in government investigations and conducts internal investigations involving securities, accounting and other financial concerns. He previously served as an attorney in the SEC Enforcement Division, acting as Counsel to the Director of Enforcement and advising and assisting the Director on national policy and management issues.