On February 21, 2018, The Securities and Exchange Commission (SEC) voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures on cybersecurity risks and incidents.1 This is not a new regulation, rather it presents the SEC’s view on public companies’ disclosure obligations under existing laws. This Guidance on Public Company Cybersecurity Disclosures is an update to its existing Division of Corporate Finance Guidance published in 2011.2

What this Means

The published statement and interpretive guidance offers practices that companies should employ to disclose a cyber risk or incident.3 This comes in light of a few high-profile data breaches followed by delayed disclosures to shareholders, investors and customers. The SEC does not require any action on the part of public companies, but instead offers interpretation of how a company can provide clear and robust disclosure of a cyber risk or incident.4

In the guidance, the SEC provides greater clarity on the cybersecurity risks and incidents information required in the disclosures, as well as touching on when these disclosures should be made. The SEC identified the following disclosure areas as requiring attention on the part of companies: risk factors like cybersecurity; and the impact of cybersecurity incidents on business, legal proceedings, and financials.5 Disclosure content identifies cybersecurity risk factors like past incidents, the probability of future incidents and firm’s actions and costs in preventing cyber risks. Additionally, companies are to provide disclosure of the material impact to the business due to cyber risks or incidents.6 The interpretation clarifies that firms should disclose to investors the material impact of cyber-related risks on the firm’s business and operations.7 Furthermore, the SEC recognizes the length and difficulties in understanding the full impact of a cyber incident but states “an ongoing internal or external investigation … would not on its own provide a basis for avoiding disclosures…”8 Finally, the updated guidance by the SEC also touched on insider trading as it relates to cybersecurity. The commission encourages public firms to have procedures and controls to manage the sharing of information on cybersecurity risks and incidents and to prohibit corporate insider trading. This is to ensure compliance with existing insider trading laws, while emphasizing the materiality of cyber risks and incidents.9

Key Observations and Take-aways

The SEC regulates securities exchanges by protecting investors, maintaining exchange markets, and facilitating financial capital information in the United States. The Guidance on Public Company Cybersecurity Disclosures provides a holistic view of existing regulations around disclosure. Yet, this guidance is not regulation and therefore does not require any action on the part of public companies.

The Cybersecurity Disclosure guidance can be viewed as a first step on the part of the SEC to provide direction to public companies on cybersecurity management. The SEC Chairman, Jay Clayton, released another statement indicating the SEC will continue to monitor cybersecurity related matters and consider input to determine further guidance or rules.10 Additionally, two members of the commission, Commissioner Kara M. Stein who is a liaison for the North American Securities Administrators Association (NASAA) and the International Organization of Securities Commissions (IOSCO) as well as an advocate for the Digital Disclosure Task Force, and Commissioner Robert J. Jackson Jr. (who joined recently) with experience in using technology for disclosures, each released a separate statement about the guidance. Though they support the guidance, they do so with reservations and are of the belief that the commission should do more. Commissioner Stein touched on areas where more could have been done including: rules to improve an organization’s risk management framework; establishing minimum standards for personally identifiable information (PII) data protection; and the timely reporting and useful disclosure of cyber-attacks that wouldn’t harm a company’s competitive position.11

As the SEC Guidance on Public Company Cybersecurity Disclosures focuses on insider trading of cybersecurity information, it provides insight into an area of importance to the commission when it comes to possible future actions. The SEC referenced insider trading in multiple sections of the guidance, including in their recommendations for managing the flow of cybersecurity information to leaders and preventing the appearance of insider trading.

References

  1. “SEC Guidance on Public Company Cybersecurity Disclosures,” Harvard Law School Forum on Corporate Governance and Financial Regulation, March 13, 2018. Access at: https://corpgov.law.harvard.edu/2018/03/13/sec-guidance-on-public-company-cybersecurity-disclosures/.
  2. “SEC to Advance Efforts to Streamline Disclosure Requirements in 2018,” The Wall Street Journal, February 23, 2018. Access at: https://www.wsj.com/articles/sec-to-advance-efforts-to-streamline-disclosure-requirements-in-2018-1519417493.
  3. “SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures,” U.S. Securities and Exchange Commission, February 21, 2018. Access at: https://www.sec.gov/news/press-release/2018-22.
  4. Ibid
  5. “SEC Guidance on Public Company Cybersecurity Disclosures,” Harvard Law School Forum on Corporate Governance and Financial Regulation, March 13, 2018. Access at: https://corpgov.law.harvard.edu/2018/03/13/sec-guidance-on-public-company-cybersecurity-disclosures/.
  6. Ibid
  7. “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” Securities and Exchange Commission, Interpretation. Access at: https://www.sec.gov/rules/interp/2018/33-10459.pdf.
  8. “SEC Guidance on Public Company Cybersecurity Disclosures,” Harvard Law School Forum on Corporate Governance and Financial Regulation, March 13, 2018. Access at: https://corpgov.law.harvard.edu/2018/03/13/sec-guidance-on-public-company-cybersecurity-disclosures/.
  9. Ibid
  10. “Statement on Cybersecurity Interpretive Guidance,” U.S. Securities and Exchange Commission, Public Statement, February 21, 2018. Access at: https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21.
  11. “Statement on Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” U.S. Securities and Exchange Commission, Commissioner Kara M. Stein, February 21, 2018. Access at: https://www.sec.gov/news/public-statement/statement-stein-2018-02-21. “Statement on Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” U.S. Securities and Exchange Commission, Commissioner Robert J. Jackson Jr., February 21, 2018. Access at: https://www.sec.gov/news/public-statement/statement-jackson-2018-02-21.

 

Newsletter Author: Venetia Woo, Mairi Bryan, Anwar Ali

Newsletter Contact Person: Venetia Woo

Visit www.accenture.com/RegulatoryCompliance for latest insights on regulatory remediation and compliance transformation.

 

Disclaimer

This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 442,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is www.accenture.com

Copyright © 2018 Accenture. All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

If you require advice or further details on any matters referred to, please contact your Accenture representative.

Submit a Comment

Your email address will not be published. Required fields are marked *