During the primetime of the 2017 10K filing season, the SEC issued additional guidance and expectations for cybersecurity disclosures. Cyber has been a hot topic for the SEC in the last several years. The financial impact to companies to prevent and then respond to a breach cannot be overstated.
The SEC took a wider view of the issue in its introduction to the interpretation, stating “Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the U.S. economy depend on the security and reliability of information and communications technology, systems and networks.” Cyber threats put at risk both publicly traded companies as well as the underpinning of our capital markets.
The new guidance reinforces the need for cybersecurity disclosures and expands the existing 2011 staff guidance. The two new requirements include:
- Disclosure Controls and Procedures – From the interpretation, Companies are now required to “assess whether they have sufficient disclosure controls in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to appropriate personnel, including up the corporate ladder…” While testing of these controls is not required as part of the annual controls certification, it is notable that filers are specifically required to consider cybersecurity disclosure controls. Additionally, the Board’s role in managing and reviewing cybersecurity risks should also be disclosed if such risks are considered material to the organization
Most organizations should expect to expand on cybersecurity disclosures in future filings. Areas to consider including cyber disclosures include: risk factors, description of business, MD&A, legal proceedings, financial statement disclosures.
- Insider Trading – Companies must institute controls and procedures which prevent trading when insiders are aware of non-public information. If an organization is investigating a potential cyber incident, then it should consider restricting insider trading in their securities.
Many regulated entities (such as financial institutions, telecom and healthcare) or larger companies may already have risk management processes in place that address cyber risks. For these entities, the additional requirements should include confirming the disclosure controls and processes are operating as intended and considering the additional disclosure requirements for future filings.
For those entities which may have a less robust risk management approach regarding cyber, we suggest the following:
- Implement appropriate disclosure controls and procedures regarding cybersecurity. This approach can be as simple as documenting any informal processes in place. Management will also wish to consider the materiality of cyber risks in evaluating the strength of the related processes and controls. The disclosure controls and procedures should include documentation of the Board’s responsibility for oversight of cyber risks. Board’s may also want to evaluate their need for cyber training to properly monitor these risks.
- For organizations with higher cyber risks, or Boards who are asking for more visibility regarding a company’s cyber risk management approach, implement a SOC-Cybersecurity audit. This audit includes an objective view of the disclosures, controls and security of an entity’s cyber approach.
- Finally, an enterprise risk management (ERM) program is ideal for larger, more complex organizations wishing to evaluate and manage not only cyber risks, but operational, legal and compliance risks.
The new SEC guidance is just the next step down a path of increased scrutiny and expectation from regulators on cyber risks. Starting today can increase transparency with your Board and shareholder and reduce regulatory burden in the future.