The Securities and Exchange Commission (“SEC”) recently updated and expanded its guidance to public companies on cybersecurity risks and incidents in its "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" (the “2018 Guidance”). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets.
“There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve,” said a statement released by SEC Chairman Jay Clayton. “Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”
To support this effort, the SEC has created a cybersecurity website with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the SEC has constituted a Cyber Unit charged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure.
While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks—all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC’s website states, “a responsibility of every market participant.”
To that end, the following are some key takeaways for private companies from the 2018 Guidance:
Throughout the 2018 Guidance, the SEC stresses the importance of disclosure of all of the material facts of material cybersecurity risks and incidents. But, a company may ask, what is “material”?
Ultimate responsibility, however, does not fall solely on management. The 2018 Guidance states that a company’s governing body (such as a board of directors) is also responsible for overseeing management of cybersecurity risk and engaging with management on cybersecurity issues.
Companies should consider how their code of ethics or conflict of interest policies take into account and prevent transfers of company securities on the basis of material nonpublic information related to cybersecurity risks and incidents. Furthermore, companies should specifically consider whether it would be appropriate to restrict transfers during an ongoing investigation of a cybersecurity incident.
Effective cyber governance is becoming an essential component of a well-managed business. While the 2018 Guidance from the SEC is aimed at public companies, it is also a useful tool for private companies to assess their cybersecurity protections and protocols to ensure that they are taking every reasonable step possible to adequately guard against, yet be prepared for, cybersecurity risks and incidents. After all, public and private companies face many of the same challenges when it comes to adapting to the evolving risks of an increasingly digital world. Private companies would do well to take note of the standards set for their public peers as they forge their own paths forward, grow the size and complexity of their businesses, and look for useful resources on how to deal with information security issues in the digital age.