There is no doubt that cybersecurity risks pose in some cases grave threats to companies and their stakeholders.
According to the January 2018 Cybersecurity Report, cyber crime damage costs will hit $6 trillion annually by 2021. So its easy to understand why the regulators are concerned about disclosure and transparency when it comes to a cybersecurity risks and incidents.
Cyber Security System
In April 2016, H.R.5069 – Cybersecurity Systems and Risks Reporting Act was introduced and thus many professionals prognosticated new and updated interpretive guidance was forthcoming. What I found useful in the proposed legislation, and maybe to you as well when addressing cyber risk and disclosure, was the definition of a “Cybersecurity System”, which follows –
“A set of activities or state, involving people, processes, data or technology, whereby the protection of an information system of the issuer is secured from, or defended against, damage, unauthorized use or modification, misdirection, disruption or exploitation.”
SEC’s New Interpretive Guidance
On February 21, 2018, public companies received new interpretative guidance from the SEC on the disclosures they should make related to cybersecurity.
The previous interpretive guidance, issued in October 2011, stated that companies may be obligated to disclose cybersecurity risks and incidents, but it did not provide specific disclosure requirements. The increasing number and severity of cybersecurity incidents has led the SEC to conclude that more specific disclosure requirements are necessary.
In an interpretation and statement, the SEC stated that it expects companies to disclose cybersecurity risks and incidents that are material to investors, including financial, legal, or reputational consequences.
Companies should consider any obligations that may be imposed by exchange listing requirements. For example, the NYSE requires list companies to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.”
The SEC guidance states, companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
The guidance further states, When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.
Securities Act of 1933 and Exchange Act of 1934
Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements under the Securities Act of 1933 (“Securities Act”) and the Securities Exchange Act of 1934 (“Exchange Act”), and periodic and current reports under the Exchange Act.
Disclosure Controls and Procedures
Exchange Act Rules under Section 13(a)-14 and 15(d)-14 require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures.
These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.
The Board and Audit Committee
The board and audit committee need to understand the control environment and monitor the company’s obligations under existing laws and regulations with respect to matters involving cybersecurity risk and incidents.
They should also understand the company’s cybersecurity risk assessment process, the risks identified, the controls in place, and policies and procedures.
Lastly, as a result of the SEC’s new interpretive guidance, understanding the application of disclosure controls and procedures, insider trading prohibitions, Regulation FD and the disclosure of material information, and selective disclosure prohibitions in the cybersecurity context is a must.
Remember that as technology advances, so do the threats; it is harder than ever to protect business processes and information, so ensure the company’s cyber strategy is alive and well.
I look forward to your comments, thoughts, and suggestions.
- Journal of Accountancy