While new data privacy rules in the European Union have dominated the news lately, the U.S Securities and Exchange Commission (SEC) has not so quietly been making waves of its own in the regulation of cybersecurity. In February ,the SEC issued fresh guidance to public companies on the disclosure of cybersecurity issues, both in identifying risks prospectively and in disclosing breaches quickly. It then followed up that guidance in April with its first ever fine of a public company for failing to promptly disclose a data breach. Together, the SEC’s recent actions make it very clear that data breaches at public companies are high on its agenda.
On February 21, 2018, the SEC issued guidance to public companies on their disclosure obligations for cybersecurity issues. The two overarching issues from the SEC guidance that public company managers should keep in mind are (1) the emphasis on controls and procedures that facilitate detailed disclosure of risks as well as prior incidents; and (2) the range of issues that the SEC expects public companies to consider in evaluation the risks and the need for disclosure.
On the first of these, the SEC clearly considers board oversight a prerequisite for fulfilling disclosure obligations. Board oversight in turn requires controls and procedures for ensuring that relevant information on risks and incidents is reported to the right personnel and up the ladder to allow senior management to make the disclosure decisions. In addition, the SEC stresses that those controls and procedures are necessary to create and enforce policies designed to prohibit insider trading. At its core, the SEC guidance is that proper disclosure requires the timely collection and processing of information, and companies that will be successful in making their disclosure will have effective policies and procedures for that collection and processing.
On the second theme of the guidance, the evaluation of risk, the guidance does not contain any specifics on how public companies can satisfy their obligations to disclose cybersecurity risks, since the type and level of risk varies widely between companies and industries. However, the SEC does identify some issues to consider in risk analysis including:
- Frequency and severity of prior cyber incidents;
- Probability and potential magnitude of future incidents;
- Adequacy and costs of preventative measures;
- Company and industry specific risks;
- Costs of maintaining cybersecurity protections;
- Potential for reputational harm;
- Laws and regulations the company is subject to that may affect costs; and,
- Litigation, investigation, and remediation costs.
Two months after issuing this guidance, on April 24, 2018, the SEC announced a $35 million settlement with Altaba, f/k/a Yahoo over its violation of the securities laws by failing to disclose a cybersecurity breach. The action against Altaba puts a fine point on the recent guidance, demonstrating to public company managers the potential consequences of ignoring the SEC’s announcement of their intentions with respect to cybersecurity disclosures. Altaba had suffered an intrusion in December 2014 in which hackers stole personal data on hundreds of millions of users. Company management allegedly learned of the hack within days, but failed to adequately assess whether the breach should be disclosed to investors. They ultimately disclosed the breach two years later while in the midst of merger negotiations. The SEC’s announcement of a settlement tracks its recent guidance, taking the company to task for failing to have controls in place to evaluate cyber incidents and disclosure requirements.
Public company management should now be on notice that the SEC is as concerned with prompt disclosure of data breaches as it is with the maintenance of controls and procedures that facilitate the evaluation and disclosure of risks and breaches. A failure to disclose may be mitigated if the procedures for risk evaluation and disclosure are robust and followed. But failure to have and follow procedures, especially after the release of the recent guidance would invite SEC enforcement.