The SEC recently published interpretive guidance on cyber security disclosures. It provides good recommendations and an overall framework for public companies when addressing cyber-related disclosures and developing sound internal policies and procedures. Among those policies and procedures, the SEC dedicated considerable attention to policies surrounding insider-trading (following a cyber incident). Below we summarize some of the key takeaways from the SEC’s recent report:
 

• When assessing cyber events for disclosure, companies must consider the materiality of the cyber event. According to the SEC, “In addition to the information expressly required by Commission regulation, a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.”³¹ The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available”. Additionally, the SEC went on to recommend consideration of the following when evaluating cyber events for disclosures:
  • Occurrence of prior incidents
  • Magnitude of the cyber event and the resulting damage that could result
  • Sufficiency of cyber security measures implemented
  • Business and operational specific cyber-risks (including industry specific risks)
  • Costs related to cyber security programs
  • Costs arising from litigation, investigations and/or remediation
  • Potential for reputational damage
  • Legal landscape, including any regulatory requirements
     
• When making disclosures, companies avoid generic boilerplate language.
   
• Companies should “refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”. In order to reduce the risk of such selective disclosures, the SEC recommends filing current reports (8-K, 6-K), in addition to periodic reports (10-K, 10-Q).
   
• Ensure all materiel facts have been disclosed, in a manner that is not misleading, and in consideration of section 11, 12, 17 of the Securities Act and 10(b) and 10(b-5) of the Exchange Act.
   
• Companies should be mindful of the information provided when disclosing a breach. Information that could provide a potential road map for cyber criminals should be avoided – this includes technical information about the breach and/or any information related to system vulnerabilities.
   
• The commission understands that it may take time to quantify the scope and magnitude of the cyber event and establish all of the facts, prior to disclosing. They also understand that cooperation with law enforcement may “affect the scope of the disclosure”. They also went on to add: “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
   
• Companies should be aware of the need to update and correct prior disclosures that may contain information that is later deemed to be inaccurate.
   
• When addressing cyber intrusions in any MD&A and financial statements, companies should be cognizant of (among other things)
  • Immediate and preventative costs, including notification costs, remediation costs, costs related to cyber insurance (and any increases in cyber insurance premiums), costs of other professional services, and any costs related to product recalls or replacements.
  • Regulatory, investigational, and litigation related costs
  • Contractual and warranty related costs.
  • Lost income, loss of competitive advantage, reduction in cash flows and any impairment of IP
     
• In addressing the risk of insider-trading and potential fraud, the SEC stated, “Directors, Officers and corporate insiders must not trade a public companies’ securities while in possession of materiel nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company”. When developing policies and procedures policies and procedures, companies should be mindful of regulation FD requirements, insider-trading rules and anti-fraud provisions. This means (among other things), including trading-prohibition periods following the discovery of a cyber incident.