What Public Company Cybersecurity Can Teach Private Firms
The Securities and Exchange Commission (“SEC”) earlier this year updated and expanded its guidance to public companies on cybersecurity risks and incidents in its “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (the “2018 Guidance”). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets.
“There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve,” said a statement released by SEC Chairman Jay Clayton. “Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”
To support this effort, the SEC has created a cybersecurity website with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the SEC has constituted a Cyber Unitcharged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure.
While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks—all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC’s website states, “a responsibility of every market participant.”
Private Companies and Cybersecurity
To that end, the following are some key takeaways for private companies from the 2018 Guidance:
1. Disclosure is key. It is critical for companies to take appropriate action to inform investors about material cybersecurity risks and incidents in a timely fashion. Indeed, the SEC goes so far as to advise that a company may be obligated to make a disclosure even if it has not been the target of a cyberattack, but is merely subject to material cybersecurity risks.
Throughout the 2018 Guidance, the SEC stresses the importance of disclosure of all of the material facts of material cybersecurity risks and incidents. But, a company may ask, what is “material”?
- With regard to the materiality of facts, public companies follow the guideline disclosing facts that are required or necessary to make the disclosure and the statements therein not misleading. A company should disclose information if there is “a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” Measuring information to be disclosed against these standards will help a company avoid making a selective or partial disclosure.
- With regard to the materiality of cybersecurity risks and incidents, a company should generally weigh the nature, extent and potential magnitude of the risk or incident—particularly as they relate to the compromised information or the business and scope of company operations. The range of harm—including harm to the company’s reputation, financial performance, and customer and vendor relationships—as well as the possibility of litigation or regulatory investigations or actions—is also an important indicator of materiality.
- Bearing this in mind, a company might feel obligated to issue a tell-all statement to be sure to give a full disclosure. However, the 2018 Guidance clarifies that companies are not required to issue a “road-map” disclosure that might compromise cybersecurity efforts. Even so, while a company is not required to disclose so much information that it makes itself more vulnerable to a cyberattack, a company must be sure to disclose the risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.
2. Policies and procedures are must-haves. Disclosure controls and procedures are crucial to a company’s ability to discern the impact of cybersecurity risks and incidents, and to take appropriate action in a timely fashion.
- Effective controls and procedures should enable a company to identify cybersecurity risk and incidents, assess and analyze their impact and significance, provide for open communication with technical experts, and allow for timely disclosures. These procedures should include a protocol to determine the potential materiality of such risks and incidents.
- Companies should assess their compliance with these policies regularly, as well as assess whether they have sufficient disclosure controls and procedures to ensure that relevant information makes its way to appropriate personnel, including senior management.
3. Management must be involved. A company’s directors, officers, and others responsible for developing and overseeing the controls and procedures must be informed about actual and potential cybersecurity risks and incidents in order to effectively develop and institute disclosure controls and procedures. Management has to remain informed of and engaged in cybersecurity efforts.
Ultimate responsibility, however, does not fall solely on management. The 2018 Guidance states that a company’s governing body (such as a board of directors) is also responsible for overseeing management of cybersecurity risk and engaging with management on cybersecurity issues.
4. Companies must protect against cybersecurity-based insider trading.Knowledge regarding a significant cybersecurity incident may constitute material nonpublic information. Companies need to have policies and procedures in place to guard against insiders taking advantage of the period between discovery of a cybersecurity incident and disclosure to other investors.
Companies should consider how their code of ethics or conflict of interest policies take into account and prevent transfers of company securities on the basis of material nonpublic information related to cybersecurity risks and incidents. Furthermore, companies should specifically consider whether it would be appropriate to restrict transfers during an ongoing investigation of a cybersecurity incident.
Effective cyber governance is becoming an essential component of a well-managed business. While the 2018 Guidance from the SEC is aimed at public companies, it is also a useful tool for private companies to assess their cybersecurity protections and protocols to ensure that they are taking every reasonable step possible to adequately guard against, yet be prepared for, cybersecurity risks and incidents. After all, public and private companies face many of the same challenges when it comes to adapting to the evolving risks of an increasingly digital world. Private companies would do well to take note of the standards set for their public peers as they forge their own paths forward, grow the size and complexity of their businesses, and look for useful resources on how to deal with information security issues in the digital age.