SEC Statement and Interpretive Guidance on Company Cybersecurity Disclosures

Last Wednesday, February 21st, The U.S. Securities and Exchange Commission (SEC) unanimously approved a new guidance calling on public companies to be more forthcoming when disclosing cybersecurity risks, even before a breach or attack happens. The statement, which expands on previous guidance issued in 2011, also warns that corporate insiders must not trade shares when they have information about cybersecurity issues that isn’t public yet. The guidance provides the Commission’s views about public companies’ disclosure obligations under existing law with respect to matters involving cybersecurity risk and incidents.  It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.

“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors. In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” said SEC Chairman Jay Clayton

The guidance was issued as an “interpretive release,” which the SEC uses to publish their views and interpret federal securities laws and SEC regulations. In it, the commission urged companies to develop policies that allows them to quickly assess cybersecurity risks and decide when to tell the public, and also prevent executives, board members and other corporate insiders from trading shares when they have important information that hasn’t been released yet. This includes risks and incidents that happen on the cloud servers. What many don’t understand is when implementing a cloud server, it comes without protection and backup. Digital Edge provides Cloud Security services that informs, patches, and protects against any cybersecurity incident.

Back in 2011, the SEC’s Division of Corporation Finance first published guidance about disclosing cybersecurity risks and incidents, which was necessary at the time because there were no existing disclosure requirements that specifically addressed cybersecurity issues.

Over the past seven years, however, cybersecurity breaches have become increasingly common, so the SEC decided to expand on its 2011 guidance. Hackers have evolved to be so sneaky and dangerous that it has become very difficult to catch them before the attack. However, we at Digital Edge keep up and ensure safety of our all clients cloud data.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” the SEC said.

The SEC’s new guidance doesn’t mention specific incidents, but it comes about five months after the massive Equifax data breach, which compromised the personal information of about 145.5 million people. The credit bureau was criticized for taking too long to inform users about the incident and the Justice Department is also reportedly investigating large sales of shares by executives between when the company learned of the breach and when it became public.

The SEC added that even though companies are not required to reveal sensitive information that could compromise their cybersecurity measures, they also cannot use internal or law enforcement investigations as an excuse for not informing the public.

We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident,” the guidance stated.

However, SEC commissioner Kara Stein feels that many public companies still provide disclosures about cybersecurity risks that are “far from robust” and that she is “disappointed with the Commission’s limited action.”

“In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest changes to the 2011 staff guidance,” she wrote. Instead of just issuing guidance, Stein believes that the SEC needs to consider issuing rules that would require companies to develop and implement stronger cybersecurity-related policies and procedures.

Stein is not the only SEC commissioner that also feels this way, Robert J. Jackson wrote, “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy. The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.”

Digital Edge strongly agrees with the SEC that in today’s environment, cybersecurity is critical to the operations of companies and our markets. Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally-connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission. Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.

It is important to not only disclose information to the public about potential risks and incidents, but to stay safe and protected from these risks. Digital Edge acknowledges how vital and sensitive information and data can be, we offer services to ensure cloud security and prevent breaches.

Digital Edge is an expert in ISO standards, and is certified by International Standard Organization on Information Security and Quality (ISO 27001). The Digital Edge Security and Compliance Team can assist your business to implement policies, standards and practices that not only meet the SEC guidance but exceed these recommendations by providing clients with cybersecurity policies and procedures based on International Standards Organization framework.

Contact us today to further explore how our team can provide your business with an unparalleled cybersecurity solution, with our continued focus on Stability, Security, Efficiency and Compliance.

Michael Nikhamov

Michael Nikhamov became CFO in 1998, and is a unique combination of both pragmatist and visionary. His methodologies and foresight have been fundamental contributors in the growth and success of Digital Edge. For the decade prior to joining Digital Edge, Michael was CFO and cofounder of an NYC-based wireless reseller, which he grew from concept, to one of the largest companies of its kind.