1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

SEC Updates Guidance On Cybersecurity Risk And Incident Disclosure Requirements

The United States Securities and Exchange Commission (SEC) recently published updated interpretative guidance concerning the duty of covered public companies to disclose certain material cybersecurity risks and incidents when filing with the SEC. Entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” the new guidance clarifies and expands upon an October 2011 guidance issued by the the SEC’s Division of Corporation Finance, and outlines the SEC’s views as to when cybersecurity risks or incidents must be disclosed to the SEC and investors.

Summary of New Guidance

The new SEC guidance has two areas of focus: (1) it reminds companies of their disclosure obligations generally, and how those obligations relate to cybersecurity risks and incidents; and (2) it provides additional guidance regarding the adequacy of company controls and procedures concerning the disclosure of cybsersecurity risks and incidents, including the need for a policy to prohibit insider trading on nonpublic information about cybersecurity risks or incidents.

Cybersecurity Disclosure Obligations – Generally

Public companies are required to file periodic reports with the SEC, including on Forms 10-K and 10-Q, disclosing material information concerning:

  1. Business risk factors;
  2. Business operations and financial condition;
  3. A description of the business;
  4. Legal proceedings;
  5. Board oversight risk; and
  6. A description of the company’s disclosure controls and procedure.

Certain public companies are also required to file Securities Act and Exchange Act registration statements that disclose all material facts required to be stated or necessary to make the statements not misleading, and current reports on Forms 8-K and 6-K to maintain the accuracy and completeness of the registration statements. Public companies are also required to disclose “such further material information” as may be necessary to make the required statements, “in light of the circumstances under which they are made, not misleading.” The SEC “considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

According to the SEC, only “material” cybersecurity risks and incidents need be disclosed. Whether a particular risk or incident is “material,” in the view of the SEC, will depend on the “nature, extent, and potential magnitude” of the particular risk or incident, and on the “range of harm that such incidents could cause.” Accordingly, companies should consider the “indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity[,]” including harm to a company’s reputation, financial performance, customer and vendor relationships, and the possibility of “litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

Specific to the six categories of disclosure outlined above, the new guidance addresses how cybersecurity risks and incidents should be addressed:

Risk Factors

Covered public companies are required to disclose the “most significant factors that make investments in the company’s securities speculative or risky.” When evaluating cybersecurity risk factor disclosure, the SEC advises companies to consider:

  • The occurrence of prior cybersecurity incidents, including their severity and frequency;
  • The probability of the occurrence and potential magnitude of cybersecurity incidents;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
  • The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including third-party vendor risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The potential for reputational harm;
  • Existing or pending laws and regulations that may impact the companies’ compliance with regard to cybesercurity, and the associated costs with such compliance; and
  • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The SEC notes companies “may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.” For example, if a “company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations.” The SEC also notes that past incidents involving suppliers, customers, competitors, and others “may be relevant when crafting risk factor disclosure.”

Business Operations and Financial Condition

Covered public companies are required to discuss their financial condition, changes in financial condition, and results of operations in their public disclosures. According to the SEC, these items require a discussion of “events, trends, or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition and such other information that the company believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.”

In this context, the SEC notes the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s analysis. In measuring cybersecurity costs, the SEC says companies “may consider the array of costs associated with cybersecurity issues,” including costs associated with:

  • Loss of intellectual property;
  • Immediate costs of the incident;
  • Implementing preventative measures;
  • Maintaining insurance;
  • Responding to litigation and regulatory investigations;
  • Preparing for and complying with proposed or current legislation;
  • Engaging in remediation efforts;
  • Addressing harm to reputation; and
  • Loss of competitive advantage.

Description of Business

Covered public companies are required to discuss their products, services, relationships with customers and suppliers, and competitive conditions. The SEC advises companies to disclose cybersecurity incidents or risks if they “materially affect” any of these disclosure requirements.

Legal Proceedings

Covered public companies must disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. The SEC makes clear that this disclosure requirement includes “any such proceedings that relate to cybersecurity issues.” For example, if a company experiences a cybersecurity incident “involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.”

Financial Statements

The SEC advises companies that their financial reporting and controls systems must be “designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.” Cybersecurity incidents and risks may impact a company’s financial statements by resulting in:

  • Expenses related to investigation, breach notification, remediation and litigation, and the costs of legal and other professional services;
  • Loss of revenue, providing customers “with incentives or a loss of customer relationship assets value;”
  • Claims related to warranties, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and
  • Decreased cash flow, and impairment of assets.

Board Oversight Risk

Covered public companies are required to disclose the extent of their board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect that has on the board’s leadership. The SEC’s new guidance makes clear that to the extent “cybersecurity risks are material to a company’s business,” such discussion “should include the nature of the board’s role in overseeing the management of that risk.” This disclosure will allow investors to “assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Disclosure Controls and Procedures

The SEC encourages companies to “adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” Specifically, companies should asses whether they have sufficient disclosure controls and procedures in place to “ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate ppersonnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

When designing and evaluating disclosure controls and procedures, the SEC advises companies to “consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings.” Controls and procedures, according to the SEC, should enable companies to:

  • Identify cybersecurity risks and incidents;
  • Assess and analyze their impact on a company’s business;
  • Evaluate the significance associated with such risks and incidents;
  • Provide for open communications between technical experts and disclosure advisors; and
  • Make timely disclosures regarding such risks and incidents.

With regard to the requirement that a company’s principal executive officer and principal financial officer make certifications regarding the design and effectiveness of disclosure controls and procedures, the SEC says such certifications and disclosures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.” In addition, if the cybersecurity risk or incident poses a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed, management “should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”

Insider Trading

In addition to the disclosure obligations set forth above, the new SEC guidance also advises companies, their directors, officers, and other corporate insiders to comply with “the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” Specifically, the SEC notes that information about a company’s cybersecurity risks and incidents “may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”

The SEC also encourages companies to consider how their codes of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.” Additionally, while companies are investigating and assessing cybersecurity incidents, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Takeaways

The SEC makes clear in its new guidance that it is not advising companies to “make detailed disclosures that could compromise its cybersecurity efforts[.]” For example, companies are not required to provide a “roadmap” for malicious actors to penetrate the company’s cybersecurity protections. Nor does the SEC “expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

Instead, the SEC advises companies to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” The SEC further requires companies to “make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders) from trading its securities until investors have been appropriately informed about the incident or risk.”

The SEC makes clear in its new guidance that it expects companies to “provide disclosure that is tailored to their particular cybersecurity risks and incidents.” To that end, companies are advised to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” If you or your company is subject to these SEC disclosure requirements, or have questions about the SEC’s new guidance, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity reporting readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

 

SEC Updates Guidance On Cybersecurity Risk And Incident Disclosure Requirements

Survey Says…Cybersecurity Remains A Critical Challenge For Business

On March 14, 2018, IBM Security announced the results of a new global study on organizational cybersecurity readiness and resiliency entitled “The 2018 Cyber Resilient Organization.” The new survey includes insights from more than 2,800 security and IT professionals, and makes clear that cybersecurity readiness and resilience remain a critical challenge for businesses worldwide:

  • 77% of respondents admit they do not have a formal cybersecurity incident response plan applied consistently across their organization;
  • 77% of respondents report having difficulty retaining and hiring quality IT security professionals;
  • 50% of respondents believe their incident response plan is either informal, ad hoc, or non-existent;
  • 60% of respondents consider lack of investment in artificial intelligence and machine learning as the biggest barrier to achieving cyber resilience;
  • 31% of respondents believe they have an adequate cybersecurity budget in place;
  • 29% of respondents report having ideal staffing to achieve cyber resilience; and
  • 23% of respondents say they do not currently have a CISO or security leader.

Cyber resiliency and preparedness remain a challenge for businesses worldwide.

Despite these results, 72% of respondents report feeling more cyber resilient than they were last year. Is this confidence misplaced?

The new results largely track the results of PricewaterhouseCoopers’ Global State of Information Security Survey (GSISS) 2018, which found that of the more than 9,500 senior executives surveyed in 122 countries:

  • 67% have an internet of things (IoT) security strategy in place or are currently implementing one;
  • 36% have uniform cybersecurity standards and policies for IoT devices and systems;
  • 34% have new data collection, retention and destruction policies; and
  • 34% assess device and system interconnectivity and vulnerability across the business ecosystem.

These low results for cyber preparedness and resiliency present a significant risk for business. In its Global Risk Report 2017, the World Economic Forum found that “large-scale cyber-attacks or malware causing large economic damages” or “widspread loss of trust in the internet” remain the primary business risks in North America.

Organizations must be better prepared for cybersecurity incidents, which can result from unintentional events or deliberate attacks by insiders or third parties, such as cyber criminals, competitors, nation-states, and “hacktivists.” A prior IBM Study on the cost of data breaches found, using a sample of 419 companies in 13 countries and regions, that 47% of data breach incidents in 2016 involved a malicious or criminal attack, 25% were due to negligent employees or contractors (i.e., a human factor), and 28% involved system glitches, including IT and business process failures.  Organizations that fall victim to successful cyber attacks or experience cyber incidents may incur substantial costs and suffer significant consequences, including remediation costs, increased cybersecurity protection costs, lost revenue, litigation and legal risk, reputational damage, increased insurance premiums, and damage to the organization’s competitiveness and shareholder value.

Making things more complicated, there are number of new regulatory regimes requiring covered enterprises to develop robust cybersecurity policies, safeguards, and incident response plans, including the New York Department of Financial Service Cybersecurity Rules and the US Security and Exchange Commission’s recent guidance on cybersecurity risk and incident disclosures.

If you or your enterprise are looking to assess your current cybersecurity practices, risk profile, or incident response preparedness, including legal compliance, or create new systems, policies, and processes, the Dentons cybersecurity team is prepared to help.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

 

Survey Says…Cybersecurity Remains A Critical Challenge For Business

IRS Warns About New Cyber Scam Targeting Taxpayers

Last month, the United States (US) Internal Revenue Service (IRS) issued a warning to US taxpayers that cyber criminals are increasing their efforts to steal more detailed financial information from taxpayers in order to provide a more detailed, realistic tax return and better impersonate legitimate taxpayers. These efforts include targeting tax professionals, human resource departments, businesses, and other enterprises that store large amounts of sensitive financial information. To mitigate against this threat, the IRS recommended that taxpayers and businesses that store taxpayer information take three steps:

  • Use Security Software. Use security software with firewall and anti-virus protections, and ensure the security software is always turned on and can automatically update. Encrypt sensitive files stored electronically, such as tax records, and use strong and unique passwords for each account.
  • Watch Out For Scams. Recognize and avoid phishing emails, threatening calls and texts from individuals posing as legitimate organizations, such as banks or credit card companies, or even the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect Personal Data. Don’t routinely carry Social Security cards and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash – don’t leave it lying around.

Recently, the IRS issued a specific warning of a quickly growing scam involving erroneous tax refunds being deposited into taxpayer bank accounts. Specifically, after stealing client data from tax professionals and filing fraudulent tax returns, cyber criminals are using taxpayers’ real bank accounts for the deposits and then using various tactics to reclaim the refund from taxpayers. In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact taxpayers to say a refund was deposited in error, and ask the taxpayers to forward the money to their collection agency. In another version, the taxpayer who receives the erroneous refund gets an automated call with a recorded voice saying the person is from the IRS. That person then threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

In its new warning, the IRS repeats its call for tax professionals to increase the security of sensitive client tax and financial files, and outlines steps impacted individuals and enterprises may follow in the wake of a breach, including those outlined in Tax Topic Number 161-Returning an Erroneous Refund and the Taxpayer Guide to Identity Theft.

These new threats highlight the way cyber criminals are uniquely attempting to access sensitive personal information. As businesses increase their encryption and security efforts, these unique efforts by malicious actors will only increase. If you or your enterprise stores or transmits sensitive personal information, such as taxpayer identifying information, you should take time to audit your current practices surrounding how that data is secured, and how your relationships with third parties may impact that security. The Dentons cybersecurity team is prepared to help in those efforts.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

IRS Warns About New Cyber Scam Targeting Taxpayers

NIST Releases Draft Update To Cybersecurity Framework

In 2014, the National Institute of Standards and Technology (NIST) released its first version of the Framework for Improving Critical Infrastructure Cybersecurity (Cyber Framework). The Cyber Framework was originally developed as a voluntary framework to help private organizations and government agencies manage cybersecurity risk in the critical infrastructure space (e.g., bridges, power grid, etc.). Since then, it has been widely adopted across industry as a benchmark standard for measuring an enterprise’s cybersecurity readiness.

Following feedback NIST received in December 2015 from a Request for Information, and comments from attendees at the Cybersecurity Framework Workshop in 2016 held at the NIST campus in Maryland, NIST released a draft update to the Cyber Framework in January 2017 called Version 1.1. Some of the key changes in the draft update included:

  • Adding a new section on cybersecurity measurement to discuss the correlation of business results to cybersecurity risk management metrics and measures;
  • Expanding the use and understanding of cyber supply chain risk management frameworks;
  • Accounting for authentication, authorization, and identity proofing in the access control section of the framework; and
  • Better explaining the relationship between the various implementation tiers and profiles.

Last week, NIST released a second draft of Version 1.1, which is open for public comment through January 20, 2018. The new draft expands on issues such as supply chain security and vulnerability disclosure programs. It also emphasizes the need for companies using the framework to develop metrics to quantify their progress. NIST says it hopes to finalize Version 1.1 in the spring of 2018.

If you are interested in submitting comments on the new draft of Version 1.1, or learning more about its proposed changes that will likely take effect in 2018, the Dentons Privacy and Cybersecurity Group is ready to assist.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkDentons’ Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

NIST Releases Draft Update To Cybersecurity Framework

HHS Issues Quick Response Cyber Attack Checklist

Last month, after the WannaCry ransomware attack infected 230,000 computers in 150 countries, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a “Quick-Response Checklist” for HIPPA covered entities and business associates to follow when responding to a ransomware attack or other “cyber-related security incident,” as that phrase is defined under the HIPAA Security Rule. 45 C.F.R. 164.304.

Checklist Recommendations

The checklist provides four recommendations:

  1. Execute the response and mitigation procedures and contingency plans. Entities should immediately fix any technical or other problems to stop the incident and take steps to mitigate any impermissible disclosure of protected health information (either done by the entity’s own information technology staff, or by an outside entity brought in to help).
  2. Report the crime to other law enforcement agencies. This includes state or local law enforcement, the FBI, or the Secret Service. The OCR makes clear that any such report should not include protected health information (unless otherwise permitted by the HIPPA Privacy Rule).
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). A cyber threat indicator is defined under federal law as information that is necessary to identify malicious cyber activity. The US Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs are all identified as acceptable information-sharing organizations under the new checklist. The OCR, however, makes clear that it does not receive reports from its federal or HHS partners.
  4. Report the breach to OCR as soon as possible, “but no later than 60 days after the discovery of a breach affecting 500 or more individuals.” Entities should notify “affected individuals and the media unless a law enforcement official has requested a delay in the reporting.” The OCR also presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery. And the OCR must be notified within 60 days after the end of the calendar year in which the breach was discovered.

In the end, the OCR states that it considers “all mitigation efforts taken by the entity during any particular breach investigation,” including the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations, as outlined in the checklist.

Takeaways

The OCR’s checklist makes clear that preparing for, and responding quickly to any potential breach should be a priority for HIPPA covered entities and their business associates. This includes preparing or updating enterprise wide incident response plans, training leadership, implementing effective governance programs, and having the ability to rapidly mobilize a response to malicious activity. Dentons’ global Privacy and Cybersecurity Group, in conjunction with Dentons’ leading healthcare practice, has extensive experience helping entities prepare and execute such plans and dealing with the rapidly changing legal and regulatory landscape that emerges in the aftermath of a security incident.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

HHS Issues Quick Response Cyber Attack Checklist