The Securities and Exchange Commission (“SEC” or “Commission”) has given public companies a heads up on where the Commission is setting its sights in the ever-developing world of cybersecurity. Here’s what you need to know, and what you need to do, to stay on the right side of the SEC.
Public companies have experienced some significant and high-profile data breaches since the SEC issued its previous cybersecurity guidance in 2011. In light of the issues we have seen in recent years, the SEC released a new interpretive guidance (available here), updating the 2011 document and emphasizing the importance and complexity of companies’ reporting obligations as they relate to cybersecurity.
Two topics included in the new guidance did not appear in the prior version, and therefore should be particularly heeded: (1) the need for public companies to have strong cybersecurity policies and procedures in place; and (2) how prohibitions on insider trading apply in the cybersecurity arena. The new guidance also drives home the SEC’s continuing commitment to monitoring cybersecurity-related disclosures.
The guidance makes clear that a head-in-the-sand approach to cybersecurity issues is not an option. Effective, proactive disclosure protocols and procedures are essential elements of appropriately handling cybersecurity threats (potential or actualized), the guidance notes, and “the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks that the company has faced or is likely to face.”
The SEC also reminds public companies that cybersecurity policies and procedures must address insider trading, because information about a cybersecurity incident can easily fall under the “nonpublic material information” umbrella. When in possession of such information, directors, officers, and other corporate insiders must not trade company securities.
While the guidance contains many details that public companies should study carefully, the overarching lesson is that the SEC is taking cybersecurity very seriously and seems to be taking the position that the best defense is a good offense. Cozen O’Connor’s cybersecurity team stands ready to help companies develop and implement effective policies and procedures to minimize risk and maximize compliance with SEC rules and regulations as they relate to cybersecurity.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
