[BreachExchange] Sunshine, Disinfectant and SEC Guidance on Cybersecurity Disclosures

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 24 20:03:51 EDT 2018


The fundamental principle of SEC’s market regulation is the power of
sunshine, transparency and disclosure.  In other words, the SEC seeks to
ensure that companies disclose important information to the public so that
securities markets operate efficiently.  Whether the SEC has appropriately
applied this principle in regulating the securities industry is a debate
for another day.  The SEC, however, has used this policy goal to address
new and significant risks.

Earlier this year, on February 21, 2018, the SEC published new guidance
concerning public company disclosures about cybersecurity risks and
incidents.  (Here).  The SEC’s disclosure built on prior guidance issued in
2011 on the same subject.  In many respects, the SEC’s new guidance expands
its guidance to address a number of new issues.

The SEC’s Guidance is an important document that will be used by its Office
of Compliance Inspections and Examinations, and justify regulatory actions
against companies for cybersecurity failures.  Aside from SEC enforcement
actions, the SEC Guidance is likely to be cited by litigants in civil
litigation against companies for cybersecurity failures and material
omissions and misrepresentations.

In determining the materiality of a cybersecurity risk or incident, the SEC
Guidance lists various criteria that companies should consider, including
the nature and magnitude of a cybersecurity risk or incident, or the
reputational, financial or operational harm that could result from a
cybersecurity risk or incident.  The SEC Guidance also notes that other
considerations include potential litigation and/or regulatory enforcement
actions by US or foreign authorities.

The SEC Guidance addresses another important issue – whether an internal or
external investigation about a cybersecurity incident should exempt a
company from publicly disclosing such an incident as a material event.  In
addressing this issue, the SEC noted that such an investigation by itself
should not provide a justification for avoiding such a disclosure.

The SEC’s Guidance also focuses on disclosures of the board’s role, if any,
in the oversight of cybersecurity risks and the manner in which the board
interacts and communicates about such risks.  Corporate boards have
increased their focus on cybersecurity risks.  The SEC expects companies to
explain what role the board plays in overseeing and monitoring
cybersecurity risks and its relationship with management to ensure that
such risks are mitigated and appropriately addressed.  As a result,
corporate board members have to exercise vigilance to understand
cybersecurity issues, risks and potential threats.

In response to the SEC enforcement action in the Experian data breach case,
the SEC Guidance addressed potential insider trading risks relating to
cybersecurity incidents.  Specifically, the SEC encouraged companies to
adopt ethics and insider trading policies and appropriate controls to
prevent insider trading related to a cybersecurity incident.  As a basic
requirement, companies should adopt a blackout period following a
cybersecurity incident.

As another important measure, the SEC urged companies to design and
implement robust cybersecurity risk management policies and procedures.  As
part of this compliance program, the SEC explained that companies should
identify and elevate information to ensure that the company makes
appropriate discloses relating to cybersecurity risks and incidents.

The SEC Guidance recommends that companies regularly assess the sufficiency
of their compliance policies and procedures relating to cybersecurity risks
and incidents.  As part of these assessments, companies should review
documents, interview key personnel and conduct readiness tests.

The SEC Guidance also notes the importance of addressing cybersecurity
risks and incidents when acquiring companies.  Pre-acquisition due
diligence should focus on cybersecurity issues in pre-acquisition due
diligence and post-acquisition integration efforts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180524/babf0fd2/attachment.html>

More information about the BreachExchange mailing list