New SEC Guidance on Cybersecurity Disclosures: Risks, Incidents, Materiality, Data Governance Procedures

On Feb. 21, 2018, the SEC released guidance on public company cybersecurity disclosures that expanded on 2011 guidance. The guidance requires public companies to disclose cybersecurity risks and incidents and describes factors to determine whether a threat or incident is material. Counsel must be able to tailor appropriate disclosures that strike a balance between disclosing meaningful information and protecting their client’s information systems.

The guidance stresses that “information about a company’s cybersecurity risks and incidents may be material nonpublic information” and warns directors, officers and other corporate insiders against trading securities while in possession of such information. Implementing restrictions on trading the company’s securities may be necessary until public disclosure of a cybersecurity issue.

The SEC’s recent $35 million fine civil penalty levied against Yahoo/Altaba highlights the importance of full and timely disclosure. Cybersecurity is also an examination priority of the SEC's Office of Compliance Inspections and Examinations for the fiscal year 2018. Counsel may be called upon to review internal data governance procedures to ensure that they sufficiently address cybersecurity disclosure.

Listen as our authoritative panel discusses the new guidance and how best to disclose risks and incidents that are deemed “material” in a manner that does not compromise the company’s information systems. The panel will also discuss implications of the guidance for insider trading and internal data security controls and procedures.

1. SEC guidance—disclosure obligations
   1. Material risks associated with cybersecurity and cybersecurity incidents
   2. Management’s views regarding how cybersecurity incidents will affect the company’s financial condition and results of operations
   3. Incidents or threats that materially affect a company’s products, services, business relationships
   4. Material pending legal proceedings related to cybersecurity issues
   5. Costs related to an investigation, remediation and litigation, losses in revenue, and diminished future cash flows
   6. Role of the board of directors in overseeing and managing cybersecurity risks
2. Avoiding insider trading on cybersecurity information—Regulation FD and selective disclosure
3. Implementing data governance policies and procedures for adequate cybersecurity disclosures

The panel will review these and other critical issues:

• What types of information does the SEC suggest that a public company should disclose in connection with ongoing cybersecurity risks and specific data breaches?
• What matters are deemed material under the guidance and what if disclosure could compromise the information systems of a company?
• When does insider trading become a concern in the context of a cybersecurity incident?
• What steps should public companies take now about data governance and disclosure?