On February 21, 2018, the SEC issued new guidance on cybersecurity disclosures for public companies. As an “interpretive release,” the new guidance interprets existing laws. In this case, the SEC has clarified the statutes that may affect reporting of cybersecurity risks and incidents. The guidance also addresses various costs and consequences of cybersecurity that should be considered when preparing disclosures. The guidance builds on 2011 guidance regarding disclosure of cybersecurity risks and further describes the areas of public company reports that should address cybersecurity risks.

Disclosure of Cybersecurity Incidents in SEC Filings

First, the new guidance makes clear that material cybersecurity risks and incidents must be disclosed in registration statements under the 1933 Securities Act, the 1934 Exchange Act, and periodic and current reports such as Forms 10-Q or 10-K. Materiality depends on a variety of factors, including the nature and extent of risks or incidents and the range of harm to the company. The SEC has made clear that disclosures should not provide a “roadmap” for cybercriminals, but nevertheless must be made in order to provide important information to investors. Ongoing investigations cannot be used to avoid making a disclosure.

The items to be disclosed include material cybersecurity risks, even if no cybersecurity incidents have yet taken place. If an incident occurs, the company should consider whether prior disclosures are still accurate or need to be updated.

The SEC also clarified that cybersecurity risk, if relevant, should be included in the disclosures of the significant factors that make investments in a company’s securities speculative or risky. The guidance outlines several risk factors that can impact the disclosure, such as the probability and potential magnitude of cybersecurity incidents, and the potential for reputational harm.

Other areas of SEC reports that should address cybersecurity include Management Discussion and Analysis (MD&A), Description of the Business, Legal Proceedings, Financial Statement Disclosures, and Board Risk Oversight.

SEC Guidance for Building a Cybersecurity Program

The SEC also strongly encourages all companies to develop a comprehensive cybersecurity program. Key areas of consideration include:

Governance

The SEC’s guidance on Information security program governance includes implementation of effective organizational structure, development of formalized information security policies and procedures based on the company’s risk assessment, and security awareness training.

Periodic Security Assessments

A risk assessment/business impact assessment should be performed. The assessment should, at a minimum, inventory and define the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses. In addition, the assessment should assess internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems including the impact should the information or technology systems become compromised. Companies should also include regular internal security assessments (i.e., internal audit and vulnerability assessments).

Incident Management: Prevention, Detection, and Response

This includes the implementation of appropriate monitoring, prevention, and response controls, such as firewall, IDS/IPS, appropriate access controls, data encryption, backup and data retrieval, business continuity, and incident response plans.

Further SEC Guidance

  • Check out the SEC’s Cybersecurity resource center here.
  • Read the 2015 cybersecurity guidance here.
  • Read the (new) February 2018 guidance here.

Take the Next Step

If you are preparing for an SEC audit or beginning your journey to build a cybersecurity program please feel free to reach out with questions. We have helped many companies navigate SEC audits and successfully build and maintain information security programs based on frameworks such as ISO 27001 and NIST 800-53. We would welcome the opportunity to be a resource to your company or point you in the right direction.