[BreachExchange] New Guidance Mandates Greater Attention to Cybersecurity Planning

[Audrey McNeil]

http://www.corporatecomplianceinsights.com/secs-latest-disclosures/

In the wake of recent notable data breaches, the United States Securities
and Exchange Commission issued an interpretive release in late February
designed to improve the timeliness and accuracy of public companies’
disclosures of cybersecurity risks and incidents and prevent insider
trading.[1] An “incident” for purposes of the guidance is a broader term
than “breach” and includes an “occurrence that actually or potentially
results in adverse consequences to” a company’s information system. As
discussed below, the SEC’s guidance (“Guidance”) underscores concerns that
all companies, regardless of size and ownership, need to take seriously to
improve their cybersecurity planning and legal compliance.

The SEC’s Guidance

Disclosing Cybersecurity Risks and Incidents

The Guidance follows up on 2011 guidance from the Division of Corporation
Finance[2] that acknowledged that while federal securities disclosure
requirements do not explicitly refer to cybersecurity risks and incidents,
companies may be obligated to disclose them. Many companies responded to
that guidance by including additional cybersecurity disclosures in their
reporting, primarily in the form of risk factors. The Guidance “reinforces
and expands” on the 2011 guidance by providing more detail as to the form,
breadth and timing of those disclosures.

The Guidance refers to a number of disclosure requirements that may
obligate a company to disclose cybersecurity risks and incidents “depending
on a company’s particular circumstances,” including periodic reports such
as a Form 10-K, registration statements and current reports such as a Form
8-K or Form 6-K. A company’s obligation to disclose and the information
required to be disclosed is assessed under the materiality standard.
Companies are to weigh “the potential materiality of any identified risk
and, in the case of incidents, the importance of any compromised
information and of the impact of the incident on the company’s operations.”
Materiality analysis is fact-dependent and is based on the “nature, extent
and potential magnitude” of the risk or incident, particularly as it
relates to the level of sensitivity and scope of the information
compromised.

Companies should also consider the range of harm that flows from the
incident, including reputational and financial performance harm, damage to
relationships with customers and vendors and the risk of both civil
litigation and government regulatory enforcement against the company.
Importantly, the SEC notes that companies must provide sufficient detailed
information about risks and incidents to investors and must avoid generic,
boilerplate language. That said, the SEC does not intend for a company’s
disclosures to “compromise its cybersecurity efforts” by providing
“specific, technical information about” its systems, networks and devices
and potential vulnerabilities that would provide hackers or others with a
“roadmap” for an attack.

Maintaining More Robust Cybersecurity Policies and Procedures and
Precautions Against Insider Trading

Breaking new ground, the Guidance specifically encourages companies “to
adopt comprehensive policies and procedures related to cybersecurity and to
assess their compliance regularly.” While these should include specific
disclosure controls and procedures related to cybersecurity disclosure, the
guidance speaks in much broader and more holistic terms, encouraging
companies to adopt a comprehensive plan to ensure that they are managing
their enterprise-wide cybersecurity risks. This plan should include
controls and procedures that enable companies to identify their risks and
vulnerabilities, assess and evaluate their business impact and
significance, allow for necessary communications between technical experts
and disclosure advisors, advise company decision-makers (including the
board) and make timely and accurate disclosures. Ultimately, the goal is
for companies to be more proactive in addressing today’s threat landscape
and properly advising their investors and the public of risks and incidents
in a timely fashion.

Also new in the Guidance is specific direction that public companies must
abide by insider trading prohibitions in the cybersecurity context. As the
Guidance notes: “directors, officers and other corporate insiders must not
trade a public company’s securities while in possession of material
nonpublic information, which many include knowledge regarding a significant
cybersecurity incident experienced by the company.” To guard against this,
companies should adopt and maintain policies and procedures to guard
against an individual taking advantage of material nonpublic information
known about a breach or incident to trade the company’s securities before
the public is notified. Not only will such measures mitigate the legal
risks associated with insider trading, but they will also guard against the
risk of reputational harm that has been associated with the recent breaches.

Takeaways

The Guidance is just the latest indication that government regulators want
companies to improve both their overall cybersecurity and incident response
and notification procedures. Public and private companies should use this
as an opportunity to assess their current systems and procedures to ensure
that they are addressing cybersecurity risks and that they are ready to
respond to security incidents and promptly provide the required
notifications and disclosures. Companies should consider taking the
following additional steps to address the issues raised in the Guidance:

- All companies should examine their current incident response preparation.
Do you have a written incident response plan? If so, consider whether it
should be updated to reflect your current business environment, the latest
breach notification legal requirements and the SEC’s disclosures guidance
and any other reporting obligations to your customers. Also, evaluate
whether the members of your response team and other key company
stakeholders have been trained on the plan. Conducting a tabletop exercise
to practice the company’s response to real-world scenarios is also
recommended.
- All companies should also evaluate their overall cybersecurity plan to
ensure they have sufficient controls and procedures in place to mitigate
against security risks and to promote the timely and accurate disclosure of
cybersecurity risks and incidents.
- Public companies need to incorporate the Guidance into their future
disclosures of cybersecurity risks and incidents. This includes the
materiality and harm analyses and the amount of detail provided in the
disclosures. The Guidance also raises the issue of previous cybersecurity
disclosures. Companies should evaluate whether their previous disclosures
are sufficiently detailed and not cookie cutter.
- Public companies should also examine and, if necessary, update their
insider trading policies to account for the Guidance’s express prohibitions
related to data breaches and other security incidents.

In today’s environment, companies must adopt and maintain the types of
systems and procedures described in the Guidance or face the potential
legal, financial and reputational fallout of a data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180418/9f49dd17/attachment.html>