This article is part of an Action Cyber Times™ series on Cybersecurity Risk Management. The series reviews relevant issues regarding cybersecurity compliance and enforcement.

SEC Statement and Guidance on Public Company Cybersecurity Disclosures

Rules and Regulations in the SEC arsenal.  See SEC Release Nos. 33-10459 and 34-82746, published at 83 Federal Register 38 pp 8166-8172 (Feb 26 2018) re 17 CFR Parts 229 and 249.

See also the prior ACT post titled, SEC 2018-2019 – ICOs and Cybersecurity, for a brief review of two of the exemplary SEC cybersecurity post-incident enforcements in 2018.

Summary

This Statement and Guidance is an excellent source for the plenary statutory and regulatory authority promulgated to the Securities and Exchange Commission regarding public company cybersecurity via the 1933 Securities Act, et al, as amended. The SEC states in the Summary that the statement is interpretive guidance to assist public companies with disclosures of cybersecurity risks and incidents.

Registered investment companies, investment advisors, brokers, dealers, exchanges, or self-regulatory organizations are not included in this SEC Statement. These entities will be covered in subsequent Action Cyber Times™ Cyber Risk Management Series installments.

However, it is a long read and very detailed. This overview will highlight the relevant concepts and regulations. As always, the reader should consult primary sources for complete authoritative content.

Introduction

Cybersecurity definition:

The NICCS abbreviated definition of ‘cybersecurity’ is,

“The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” Available at https://niccs.us-cert.gov/glossary#C.

Cybersecurity ‘Incident’ definition:

And a ‘cybersecurity incident’ is,

“An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.” Available at https://niccs.us-cert.gov/glossary#I.

Companies that experience successful cyber attacks may incur significant costs, including:

• Remediation costs, system damage, loss of business partners
• Increased cybersecurity protection expenses
• Lost revenues
• Litigation and legal risks
• Increased insurance premiums
• Reputational damage
• Damage to company shareholder value, and
• Insider Trading.

Materiality Requiring Disclosure

The purpose of this Release, for public operated companies only, was to advise such companies to establish and maintain appropriate and effective cybersecurity disclosure controls and procedures that enable them to make accurate and timely disclosures of material events.

The Statement follows the standard of materiality as articulated by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976), wherein the Court stated,

“… a fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available to the shareholder. (internal quotations omitted)

Thus, to determine the potential ‘materiality’ of identified risk or incident, the company should:

• determine the importance of any compromised information;
• determine the impact of the incident on the company operations;
• determine the nature, extent and potential magnitude of the compromised information, on the business and scope of company operations;
• determine the range of harm to company reputation, financial performance, customer and vendor relationships; and
• determine the possibility of litigation or regulatory investigations or actions, state, federal and foreign in response to the incident.

The statutes and regulations do not specifically refer to disclosure requirements for cybersecurity risks and incidents, but the they do impose obligations to disclose incidents and risks, pursuant to Sections 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act, including:

• Regulation S-K (17 CFR part 229)—instructions for filing forms and registration statements under the Securities Act of 1933 and the Securities Exchange Act of 1934;
• Regulation S-X (17 CFR part 210)—instructions for filing financial statements under the Securities Act of 1933 and the Securities Exchange Act of 1934;

Periodic Reports

• Form 10-K annual reports – disclose business and operations, risk factors, legal proceedings, financial condition, financial statements, disclosure controls and procedures, and corporate governance;
• Form 10-Q quarterly reports – which require companies to make disclosure regarding their financial statements, MD&A, and updated risk factors
• Registration Statements – must disclose all material facts required to be stated therein or necessary to make the statements therein not misleading;

Current Reports

Publicly reporting companies must report certain material corporate events on a more current basis. Form 8-K is known as a “current report” and it is the report that companies must file with the SEC to announce major material events or information for the shareholders to enable them to make informed investment decisions.

Risk Factors

Regulation S-K Item 503(c) [17 CFR 229.503(c)] requires companies to evaluate cybersecurity risk factors for disclosure and to disclose the most significant factors that make investment in the company securities speculative or risky:

• The occurrence of prior cybersecurity incidents, including their severity and frequency;
• the probability of the occurrence and potential magnitude of cybersecurity incidents;
• the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
• the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
• the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
• the potential for reputational harm;
• existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
• litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

Financial Condition and Results of Operations

Regulation S-K Item 303 [17 CFR 229.303] requires companies to disclose changes in financial condition that are reasonably likely to have a material effect on the financial condition, which would include the costs and consequences of cybersecurity incidents, including generally:

• loss of intellectual property;
• Remediation costs;
• Implementing preventative measures;
• Insurance;
• Litigation and regulatory investigations;
• Harm to reputation; and
• Loss of competitive advantage.

Financial Statement Disclosure

Cybersecurity incidents and the risks may affect the company financials and must be provided on a timely basis when they become available [Section 13(b)(2)(B) of the Exchange Act [15 U.S.C.78m(b)(2)(B)]], for example:

• Expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services;
• loss of revenue, providing customers with incentives or a loss of customer relationship assets value;
• claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
• diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs.

Board Risk Oversight

Regulation S-K Item 407(h) [17 CFR 229.407(h)] and Item 7 of Schedule 14A requires the Board manage risk oversight, including cybersecurity, and the company risk management program.

Policies and Procedures

Disclosure of Controls and Procedures, pursuant to Exchange Act Rules 13a-15 and 15d-15 [17 CFR 240.13a-15; 17 CFR 240.15d-15] involves enterprise wide risk management as it relates to federal securities laws and the sufficiency of cybersecurity disclosure controls and procedures, first to management then to the SEC, according to the rules previously reviewed.

• Exchange Act Rule 12b-20 [17 CFR 240.12b-20] – timely disclosure requirement;
• Exchange Act Rule 13a-14 and 15d-14 [17 CFR 240.13a-14 and 15d-14] – require officer certifications regarding design and effectiveness of cybersecurity disclosure controls and procedures for risks or incidents;
• Sarbanes Oxley Act 2002 – principal executives must certify the info in quarterly and annual reports; Sec 302 of PL 107-204, 116 Stat. 745 (2002), 15 USC 7241;
• Regulation S-K Item 307 [17 CFR 229.307] – require conclusions on the effectiveness of disclosure controls and procedures for cybersecurity risks or incidents.

Insider Trading

Exchange Act Rule 10b5-1(a) [17 CFR 240.10b5-1(a)] states that it is a breach of a duty of trust or confidence, to trade a security on the basis of material nonpublic information, that is owed directly, indirectly, or derivatively, to the issuer of the that security or the shareholders of the issuer, or to any other person who is the source of the material nonpublic information, including information relating to cybersecurity risks and incidents.

Regulation FD and Selective Disclosure

Regulation FD (17 CFR 243.100(b)(1)) refers to selective disclosure of material, non-public information. Companies and persons acting on their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to Regulation FD enumerated persons before disclosing that same information to the public. Regulation FD applies generally to selective disclosures made to persons outside the issuer who are:

• a broker or dealer or persons associated with a broker or dealer;
• an investment advisor or persons associated with an investment advisor;
• an investment company or persons affiliated with an investment company; or
• a holder of the issuer’s securities under circumstances in which it is reasonably foreseeable that the person will trade in the issuer’s securities on the basis of the information.

Table of US Statutes and Rules

The following table reviews the statutes and rules cited in the Statement, and provides them in one place with a brief explanation to assist the researcher or reader in discerning applicable authority.

TABLE OF SECURITIES STATUTES AND RULES USED AS BASIS FOR ENFORCEMENT BY THE SEC

Derived from 83 Fed Reg 38 p8166-8172

Commentary by Attorney Timothy F. Mills, Editor / Action Cyber Times™ © 2018 All Rights Reserved.

Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.

Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.