The US Securities and Exchange Commission recently released nonbinding guidance discussing issuers’ obligations to publicly disclose cybersecurity risks. The new guidance is not groundbreaking – Democratic Commissioner Robert J. Jackson Jr. stated that it “essentially reiterates years-old staff-level views on the issue.”

In short, the new guidance:

  • Affirms the widely held notion that firms sometimes need to disclose cybersecurity risks, incidents, and costs; and
  • Provides that company insiders should not trade shares when they know nonpublic information about an incident – apparently a reaction to widespread concern following the Equifax hack

The guidance doesn’t impose new obligations, but it does outline the SEC’s vision of appropriate cybersecurity governance. For example, CEOs and CFOs should “take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents” when making required certifications in SEC filings – i.e., CEOs and CFOs should be informed of the details of their company’s cybersecurity protocols. These rules make the guidance look less like disclosure regulations and more like a substantive cybersecurity-governance rule, like the ones promulgated by the New York State Department of Financial Services.

The guidance, both expansive and imprecise, does not clarify key questions companies face after incidents. For example:

  • “We identified an individual who compromised our systems, but we’re not sure if he acted alone. If we say he was solo, we may have to revise the disclosure, possibly exposing ourselves to lawsuits. If we say that he may have been part of a group, we’re admitting more risk than we’ve confirmed and may spook investors. What should we do?”
    • The guidance “[u]nderstand[s] that some material facts may be not available at the time of the initial disclosure,” but “remind[s] companies that they may have a duty to correct prior disclosure that…omitted a material fact necessary to make the disclosure not misleading.”
  • “We’ve noticed that some of our data was corrupted, which may have been due to a technical glitch or because of an unauthorized intrusion. If it’s a technical glitch, we have backup files and the risk is not ‘material.’ If it’s an intrusion, the data may have been misappropriated and the damage could be ‘material’ – it could lead to litigation or loss of competitive advantage. We’re still looking into the matter – should we disclose it?”
    • The guidance says only that “an ongoing internal or external investigation…would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident”
  • “We’ve identified key risks that are specific to our business, like the risk that if someone steals our sales figures, but we’re also susceptible to general risks, like hackers cutting off our Internet connection. Should we disclose the specific risk, the general one, or both?”
    • The guidance provides that “[c]ompanies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors,” while also including any information “that a reasonable investor would consider… important in making an investment decision.