SEC on CybersecurityPosted: April 2, 2018
Many people may have missed a big release by the SEC on cybersecurity reporting. It’s easy to understand why. First off, many people are getting ready for the initial quarter of reporting under the new revenue standard. Second, others probably thought the SEC made some statements on reporting about cybersecurity several years ago and nothing was said about new disclosure requirements, so the news must not be a big deal. That would be a mistake.
The new interpretive guidance came from the Commission, not the SEC staff as was the case in 2011. With the Commission adding its weight behind the new guidance, companies need to pay attention because ignoring the advice can come with much more serious consequences to registrants.
Much of the guidance is like the guidance the staff provided back in 2011, but there are some key additions. The first is around controls being in place to adequately and timely report about cyber-attacks. Legal and accounting groups with SEC reporting responsibility need to start talking to whatever group in the company is responsible for monitoring and managing threats from cyber-attacks. Sox compliance organizations also need to seriously consider adding a new disclosure control specifically about such incidents.
The second addition is around discussion of trading in the company’s stock with knowledge of cyber breaches. The SEC provided specific warnings about trading by Directors, Officers or other corporate insiders in advance of disclosures about a breach. If those disclosures prove to be material, then such trading would be deemed illegal. Given that materiality is in the eye of the beholder, or in this case regulators, judges, and juries of your non-peers, anyone with such knowledge should probably refrain from any trading until 24 hours after the disclosure is made by the company.
The Commission has graciously provided examples of potential disclosures, so there is no excuse for not knowing what the SEC expects to see in 8-Ks, 10-Qs and 10-Ks. The release was made after calendar year 10-Ks were due, so the first time the new guidance will be effective for recurring reporting is in the next quarterly filing for most companies. You might want to consider taking a breather from putting together those new revenue disclosures and consider what cybersecurity disclosures are now also necessary.