SEC Releases Guidance on Public Company Cybersecurity Disclosures
The SEC's new guidance on public company cybersecurity disclosures and Chairman Clayton's accompanying statement emphasize the SEC's expectations that public companies: (i) implement comprehensive cybersecurity policies that allow them to make accurate and timely disclosure of material cybersecurity risks and events; and (ii) prohibit insider trading based on selective disclosure of cyber risks or incidents.
The SEC makes clear that companies were required under prior guidance to report cybersecurity risks under existing federal securities reporting laws, including in Form 10-K annual reports and Form 10-Q quarterly reports. The SEC encourages companies to evaluate materiality and cybersecurity risk by examining prior cybersecurity incidents, the probability of recurrence, adequacy of preventative actions, additional protection costs, and the potential for reputational harm. The SEC cautions that "companies may need to disclose previous or ongoing cybersecurity incidents" to place discussions of these risks in an appropriate context.
Policies and Procedures
The SEC encourages companies "to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure." The SEC notes that such controls "should … ensure timely collection and evaluation of information potentially subject to required disclosure" to allow companies to identify potential risks.
The SEC advises that "information about a company's cybersecurity risks and incidents may be material nonpublic information," and insiders violate antifraud provisions if they trade securities while in possession of that material nonpublic information. The SEC also directs companies to create policies to prevent insider trading on all types of nonpublic information, including cybersecurity information.
Criticism from Commissioners Jackson and Stein
Shortly after Chairman Clayton announced the new guidance, Commissioners Robert Jackson, Jr. and Kara Stein suggested in statements that the SEC should have done more, such as mandating disclosures within a particular time frame.
The SEC has provided helpful guidance for public companies on cybersecurity-related policies and procedures. Most importantly, the SEC emphasizes the need to integrate cybersecurity-related risks and events into a company's existing disclosure controls and procedures. To that end, it places a premium on close coordination and communication between a public company's disclosure controls and procedures team and IT personnel. It will be critical going forward for companies to ensure they elevate discussions around potential cybersecurity-related disclosures to the right level and appropriate groups within the company. The guidance also highlights the need for public companies to ensure their insider trading policies identify and protect against cybersecurity risks, which it notes can be material non-public information. This Guidance and other SEC statements demonstrate that cybersecurity will be an area of emphasis for the agency going forward.
For further information, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Samir C. Jain
Dallas / Washington
+1.214.969.3681 / +1.202.879.5490
John C. Tang
Meredith K. Collier, an associate in the Cleveland Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.