SEC Cyber ​​Security Guide for Capital Markets

SEC Cyber ​​Security Guide for Capital Markets

The Securities and Exchange Commission (“SEC”) published extensive interpretive orientation (“2018 Guide”), published on February 21, 2018, and is based on its comprehensive cybersecurity guide provided in 2011. Below are four key points that will be essential to comply with federal cybersecurity laws. values ​​in the future.

1. The SEC recognizes that effective cybersecurity has never been more important to the capital markets and our country.

In the immediate aftermath of the Equifax breach, it is not surprising that the SEC acknowledges that “[c]cybersecurity risks pose serious threats to investors, our capital markets, and our country” and that “the importance of data management and technology to business is analogous to the importance of electricity and other forms of energy in the Last century”.[1]

The SEC understands that a lack of cybersecurity and the cybersecurity incidents it creates will lead to the destruction of shareholder value, and is serious about using its authority to reduce this risk. Reminding companies that “[c]Cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws,” the SEC has made clear that compliance must begin at the level of policies and procedures, not when a material adverse cybersecurity event occurs.[2]

2. Adequate cybersecurity controls are required to comply with mandatory disclosures of significant cybersecurity incidents under federal securities laws and to prevent insider trading based on material nonpublic information.

The SEC continues to reinforce that federal securities laws require (a) mandatory disclosures of material cybersecurity events and (b) that companies have a duty to avoid insider trading, including transactions made with material nonpublic information. involving cybersecurity incidents.

Compliance will not be possible without effective underlying controls that are in place and running before a major cybersecurity event occurs. According to the SEC:

Disclosure controls and procedures are crucial to a public company’s ability to make any required disclosures of cybersecurity risks and incidents in an appropriate time frame that provide an appropriate method of discerning the impact such matters may have on the company and its business, financial situation and results of operations, as well as a protocol to determine the potential materiality of said risks and incidents.[3]

Implementation of such controls will require ongoing cooperation between information technology, finance, operations, and those who manage risk generally. Siled compliance functions will not suffice.

Building on this effort, companies should create and enforce a set of controls that reduce the risk of insider-based cybersecurity incidents through “protection.”[ing] against directors, officers and other corporate insiders who take advantage of the period between the discovery of a cybersecurity incident by the company and the public disclosure of the incident to trade in material non-public information about the incident.”[4] Stakeholders should note that such controls to prevent insider trading can only be as effective as the initial set of controls used to determine which incidents are material in the first place.

3. Companies can use the SEC factors provided to help determine what is material. Generally speaking, the more damaging, costly, and problematic a cybersecurity incident is, the more likely it is to be material.

The SEC has provided expanded guidance on what cybersecurity incidents will be considered material. Companies should analyze a given cybersecurity incident using the factors provided by the SEC below:

a. Remediation costs, including “liability for stolen assets or information, system damage repairs, and incentives for customers or business partners in an effort to maintain relationships after an attack”;

b. Increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional staff and protection technologies, training employees, and hiring outside experts and consultants;

C. Loss of revenue resulting from unauthorized use of proprietary information or failure to retain or attract customers after an attack;

D. Litigation and legal risks, including regulatory actions by state and federal agencies;

me. Increased insurance premiums;

F. Reputational damage; Y

gram. Damage to the company’s competitiveness, share price and long-term shareholder value.[5]

While the analysis will depend on the specific cybersecurity incident in question, companies can be assured that the greater the expense, damage, and risks created by the incident, the more likely it is to be considered material. The use of these factors, and the prophylactic documentation of an enterprise-level materiality determination, will depend on the appropriate pre-existing cybersecurity controls discussed in the previous section.

4. Companies should focus on disclosing information that allows investors to appreciate why a security incident matters. Companies do not need to disclose technical information that could put their cybersecurity at risk, however, the SEC also will not accept an internal or external investigation as a reason to delay a material cybersecurity disclosure.

What must companies disclose for effective disclosure of a material cybersecurity incident? Companies should focus on informing investors in a way that allows them to appreciate risk in light of the factor-based framework in the previous section. Companies do not need to disclose technical information that could provide a “roadmap” for a potential attacker. The SEC acknowledges that such detailed technical information is unlikely to help investors appreciate investment risk and could put companies at greater risk.

However, companies seeking to delay a major disclosure should beware that “an ongoing internal or external investigation, which can often be protracted, would not by itself provide a basis for preventing disclosure of a major cybersecurity incident.” “.[6] This means that law enforcement investigations may not serve as a means of delaying disclosure, especially when a major disclosure could be made without revealing sensitive technical details.

5. Companies have a duty to update their disclosures regarding material cybersecurity incidents as a result of ongoing investigations.

The SEC reminded companies that they must update disclosures that become materially inaccurate, even when reasonable investors still rely on the statement. For example, further investigation may reveal additional material facts or reveal that certain disclosures provided were based on incomplete conclusions.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo, PC All rights reserved.National Law Review, Volume XII, Number 98

Leave a Comment