SEC Guidance on Disclosure of Cyber Incident by Public Companies - A Refresher

Given the frequency of cybersecurity incidents, this is a good time to revisit the Securities and Exchange Commission's (SEC) 2018 guidance on cybersecurity disclosures by public companies. Many of these concepts are also found in the Canadian Securities Administrators' (CSA) Staff Notice 11-332.

General Principle

According to the SEC, given the frequency, magnitude and cost of cybersecurity incidents, it is critical that public companies inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

The SEC goes on to say that, "crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents." [emphasis added]

Materiality

According to the SEC, in addition to the information expressly required the SEC's regulation, a company must disclose "such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading."

It is noteworthy that the SEC considers omitted information to be material is there is a substantial likelihood that a reasonable investor would consider the information to be important when making an investment decision.

Materiality will depend on:

• Importance of any compromised information;
• Impact of the incident on the company's operations;
• The incident's nature, extent and potential magnitude;
• Harm the incident could cause to the company's reputation, financial performance, and customer and vendor relationship, as well as litigation;
• Possibility of litigation or regulatory investigations or actions.

While the SEC recognizes that an investigation into a cybersecurity incident can take time, it notes that this "would not on its own provide a basis for avoiding disclosure of a material cybersecurity incident."

Disclosure of Cyber Risks

Companies should consider the following issues, among others, in evaluating cybersecurity risk factor disclosure:

• occurrence of prior cybersecurity incidents (including their severity and frequency);
• probability of the occurrence and potential magnitude of cybersecurity incident;
• adequacy of preventative actions taken to reduce cybersecurity risks and the associated cost;
• aspects of the company's business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks;
• costs associated with maintaining cybersecurity protections (including insurance);
• potential for reputational harm;
• laws and regulation that may affect the requirements to which companies are subject and the associated costs; and
• litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

Other Considerations

The guidance document lists other factors that should be considered when drafting cybersecurity incident and/or risk disclosures:

• Disclosure of legal proceedings (including regulatory investigations) stemming from a cybersecurity incident (Item 103 of Regulation S-K);
• Financial statement disclosure: information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available;
• Disclosure of Board role in the risk oversight (Item 407(h) of Regulation S-K and Item 7 of Schedule 14A);
• Insider Trading: directors, officers and other corporate insiders should be careful and ensure compliance with insider trader prohibitions based on information about cybersecurity risks and incidents that are not public.

What Does This All Mean?

While the number of cybersecurity incidents have increased globally in the past 18 months, an interesting development is the ability of threat actors to compromise seemingly large public organizations who dedicate significant resources to cybersecurity. Further, the incidents are more impactful and can, in some instances, meet the materiality threshold discussed above.

Understanding what should be considered and what should be disclosed in a public disclosure document, either in Canada or the United States (or elsewhere), can be tricky to say the least. This is because it is not immediately clear what the impact of a cybersecurity incident may be on an company.

Having on-hand a materiality matrix and understanding what factors should be considered should be built into every public company's Cyber Incident Response Plan (CIRP).

One last point: once a decision is made to disclose, particular care should be taken to ensure that the disclosure is accurate and not misleading. There are several examples where companies tried to downplay the impact of a cybersecurity incident in their disclosure and were found to have bee offside.

For more reading on this topic, check out this excellent article from Harvard Law School Forum on Corporate Governance: