After a bit of last-minute drama, the SEC on Wednesday issued its guidance for public company cybersecurity disclosures. The Commission’s guidance document emphasizes companies’ disclosure obligations under existing law and requirements. The statement also underscores the Commission’s concerns about insider trading prohibitions and the obligation of reporting companies to refrain from making selective disclosures about nonpublic information. As discussed below, the Commission’s Democratic members criticized the statement for not going far enough. The Commission’s February 21, 2018 press release about the cybersecurity disclosure guidance can be found here. The Commission’s statement and guidance on cybersecurity disclosure can be found here. SEC Chair Jay Clayton’s statement about the Commission’s guidance can be found here.
The commission’s guidance document emphasizes that threats from cybersecurity concerns have increased, as have the costs associated with cybersecurity incidents. Given the “frequency, magnitude and cost of cybersecurity incidents,” the Commission believes that is “important” that reporting companies “take all required actions to inform investors” about cybersecurity risks and incidents in a timely fashion. To fulfil these obligations, the Commission emphasizes the importance for public companies to maintain appropriate disclosure procedures and controls.
In highlighting reporting companies’ cybersecurity disclosure obligations, the guidance document does not rely on or propose new duties or requirements; to the contrary, the Commission emphasizes that the disclosure requirements discussed in the document arise under existing reporting obligations. The guidance document notes – but does not provide any particularly helpful direction – concerns reporting companies may have about the possibility of cybersecurity disclosure providing a road map for potential intruders; problems associated with disclosure timing, particularly where all facts may not be known; and particular concerns about disclosure that may arise while law enforcement investigation is still underway.
The guidance document puts particular emphasis on insider trading concerns, noting that “should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. “ The document notes the prohibition of trading while in the possession of material nonpublic information. The document also notes that while the company is investigating a cybersecurity incident, the company may need to implement trading restrictions.
The Commission’s Democratic members issued separate statements critical of the guidance document. Commissioner Kara Stein said of the document in her statement that she is “disappointed” with the Commission’s “limited action,” saying that the document adds little to the 2011 staff guidance of the Division of Corporate Finance – which, Stein added, has proven to be inadequate to compel the kind of “robust” disclosure Stein argues that investors need. The Commission’s guidance, Stein said, did not do enough to “advance the ball” beyond the prior staff guidance; indeed, she worried that the Commission’s guidance may give the false impression to investors and others that the Commission had done more to address cybersecurity disclosures than it actually had done.
New Commissioner Robert J. Jackson Jr. issued a separate statement noting that the Commission’s guidance simply “reiterates years-old staff level views” on the disclosure issues, while “economists of all stripes agree that much more needs to be done.” He noted that the White House’s own Council of Economic advisors had raised questions about the effectiveness of the SEC’s past cybersecurity disclosure guidance.
My own view is that whatever may have been the intended purpose of the SEC’s new guidance document, reporting companies are not going to find it very helpful as they try to understand their cybersecurity disclosure obligations. The document speaks in generalities, and it provides little help for companies as they try to balance their obligations to inform investors with legitimate concerns about security or problems associated with partial or potentially incomplete information.
The one thing the document does do is to emphasize that cybersecurity disclosure is a Commission-level concern. Indeed, even though the Democratic commissioners issued separate statements, all of the public statements emphasize the importance to all of the commissioners of cybersecurity reporting issues. I suspect that among the specific practical consequences from the priority of this issue among commissioners is that cybersecurity reporting may prove to be focus in the Commission’s enforcement activities.