On June 11, 2021, the Securities and Exchange Commission (“SEC” or “Commission”) announced that it would focus its regulatory agenda on cybersecurity disclosures by publicly traded companies. 1 Given the continued interest of the SEC When it comes to cybersecurity issues, high-profile ransomware attacks and President Biden executive ordinances, it’s no surprise that the SEC is focused on taking an increasingly active role in the nationwide response to cybersecurity threats. Although it will be some time before a definitive cybersecurity risk disclosure rule is enacted, a proposal from the SEC is expected in October 2021. In the meantime, publicly traded companies should start preparing for a likely new SEC rule requiring disclosure of cybersecurity risks.
This Legal Update provides background information on the new SEC chairman and regulatory process, the previous SEC guidance on cybersecurity disclosures, and steps public companies can now take to prepare for improved SEC oversight of cybersecurity disclosures.
background
On April 14, 2021, the Senate confirmed Gary Gensler as chairman of the SEC. Shortly thereafter, Chairman Gensler announced an aggressive spring agenda that focused on new company disclosures on climate change risks, board diversity and workforce diversity. Particularly noteworthy is the Commission’s clear focus on cybersecurity disclosures or lack thereof by publicly traded companies.
Although at this point in time it is not yet certain what will be included in the SEC’s proposed ruling, the SEC provides a brief description of the rules it intends to propose in its agenda announcement. The SEC’s summary states: “[t]he division [of Corporate Finance] Consider recommending that the Commission propose rule changes to improve disclosure by issuers on governance of cybersecurity risks. “2
We will have more insight by October 21, 2021, which is the deadline the SEC has set for its proposed rule to be published. Following this proposal, the SEC will initiate a review and comment period during which the public can submit their contributions. The SEC will take this contribution to the proposal into account in drawing up its final ruling.
While we are still months away from a definitive cybersecurity disclosure rule, the SEC’s most recently released guidance and subsequent criticism provide context for what may be on the horizon.
SEC Cybersecurity Guide 2018
In 2018, the SEC adopted a long-awaited guide to cybersecurity disclosure (the “2018 Guide”). 3 This guide marked the first time the Commission provided public companies with official guidance on their cybersecurity disclosure requirements. The 2018 guidance built on the SEC Division of Corporation Finance’s 2011 statement – “Disclosure Guidance CF # 2 – Cybersecurity” 4 (the “2011 Guidance”) – which instructed publicly traded companies to disclose cyber risks when they are “among the most important factors that make an investment in the company speculative or risky. ”5
The 2018 guidance addressed disclosure requirements under existing laws and regulations, emphasized the importance of disclosure controls and procedures, and provided instructions on how to disclose material cybersecurity incidents and incidents. The guidelines also warn against insider trading when such material events are not disclosed and against selective disclosure in the context of cybersecurity. Although the 2018 guidelines were adopted unanimously, some of the commissioners at the time made it clear that they felt that the guidelines were insufficient.
In a published statement, then Commissioner Robert Jackson expressed concern that the 2018 guidelines “essentially echo the longstanding views of staff on the matter. But economists of all stripes agree that much more needs to be done. ”6 He then cited a 2018 report by the White House economic adviser,“ The Cost of Malicious Cyber Activity in the US Economy, ”in which raised a number of concerns about the effectiveness of the 2011 guidelines. For example, the report found that ambiguities around disclosure requirements and the meaning of “materiality” result in companies generally inadequate reporting of cyber incidents.
Likewise, then Commissioner Kara Stein expressed disappointment that the 2018 guide was essentially a rebranding of the 2011 guide which, according to a 2014 study, “resulted in a series of disclosures that rarely provide differentiated or actionable information to investors “.7 Then Commissioner Stein also listed some of the ways the Commission could have done, including by asking for communication and comment on proposed rules on improved risk management frameworks for the Board of Directors, timeliness and completeness of cyberattack communications Investors and requirements that public companies develop and implement cybersecurity-related policies and procedures that go beyond mere disclosure.
Basically, the 2018 guidance was just that: guidance. What the SEC is now proposing is a rule that is likely to result in cybersecurity disclosures becoming mandatory, along with increased scrutiny of prior disclosures.
looking ahead
Public companies can use the 2018 guidelines as an educational starting point to understand what the SEC proposed rule might entail. But the SEC likely won’t stop there. It is expected that the Commission, in consultation with stakeholders, will seek to address and reinforce perceived shortcomings in the 2018 guidelines, including by providing clearer instructions on the “materiality” and “timeliness” of cyberattack communications.
As mentioned earlier, a definitive cybersecurity disclosure rule is still a long way off. In the meantime, however, companies should take five steps to prepare for the SEC’s new rule.
- Prepare criteria for determining materiality. The 2018 Guide lists certain criteria that publicly traded companies should consider when determining whether a cybersecurity incident is a “material” incident. These criteria include the nature and extent of the incident and its financial, reputational, or operational implications. Public companies should develop and codify an approach to materiality requirements now as they will be vital in defending future disclosure requirements.
- Review and improve policies and proceduresThe 2018 Guide encourages publicly traded companies to develop substantive policies and procedures for managing cybersecurity risk. In particular, the guidelines provide that these guidelines should contain clear instructions on how information can be identified and shared with key stakeholders and managers so that appropriate disclosures about cybersecurity incidents and risks can be made. Companies that adopted these guidelines in 2018 should check to see if they agree with their policies and procedures as these guidelines are likely to become mandatory. Organizations that have not improved their policies now need to review the existing policies to explicitly consider cybersecurity risks as potentially material and should prepare now to review and update their disclosure controls to ensure they are adequate.
- Improved oversight by the board. The 2018 guidance states that the role of the board of directors in overseeing cybersecurity risks should be disclosed when “cybersecurity risks are material to a company’s business”. These disclosures are intended to address how a board of directors “works with management on cybersecurity issues” and “layoffs”[es] it is [cybersecurity] Responsibility for risk oversight. ”Board members should be encouraged to become more involved and take steps to understand cybersecurity risks across their organization.
- Advanced trainingThere is no question that organizations should invest in and prioritize their cybersecurity training and compliance programs. Although companies with strong cybersecurity training and compliance programs cannot guarantee they will not become a victim of a cyber attack, they can and should take steps to improve their preparedness for such cyber incidents, including with respect to required SEC disclosures.
- Review previous submissions. Public companies should also consider reviewing their existing periodic disclosures to determine whether prior cybersecurity risks and / or incidents that may now be deemed material have been fully and timely disclosed. Businesses should check for material omissions in previous statements.
Despite the fact that the SEC’s proposed cybersecurity disclosure rule won’t be released until October, prudent corporate governance and shareholder demand will drive the smart public company to rethink and improve its cybersecurity disclosure policies and procedures to be ready now for both the inevitable event and the inevitable need.
source https://collegeeducationnewsllc.com/sec-increasingly-turns-focus-toward-strength-of-cyber-risk-disclosures/
No comments:
Post a Comment