Complying with Regulatory Requirements and SEC Guidance: A Practitioner’s Perspective for Working with Boards of Directors and Auditors
During the past several years, regulators have increasingly focused attention on public companies’ cybersecurity disclosure policies, and on their responses to and reporting of cyber incidents. The result of this intensified focus is that boards of public companies and financial institutions subject to the jurisdiction of the US Securities and Exchange Commission (SEC or Commission) must carefully weigh how to best present their exposure to cyber threats and how to react in the wake of cyber incidents. This chapter seeks to provide and review guidance regarding how companies and their directors and officers, with their counsel, can navigate the evolving cybersecurity landscape. The topics include: (1) when to contact the board and auditors, and the recommended frequency and nature of such updates; (2) the type of information auditors typically request during post-breach forensic reviews of financial controls required by the Sarbanes-Oxley Act of 2002 (SOX); (3) an overview of SEC guidance regarding boards, disclosures and insider trading; and (4) considerations regarding the content and timing of any SEC disclosure updates.
Brief history of SEC guidance on cybersecurity for public companies
The SEC began a dedicated look at cybersecurity issues and information security for public companies in 2011. In October that year, the staff of the SEC’s Division of Corporation Finance issued guidance (the 2011 Disclosure Guidance) aimed at public issuers to ‘provide an overview of specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents’. The 2011 Disclosure Guidance made it clear that companies and their boards were required to disclose material information regarding cybersecurity risks and incidents. Yet the Guidance, while an important early acknowledgement of the potential impact of cybersecurity issues on public companies, merely emphasised that the familiar materiality standard applies to cybersecurity-related issues. Specifically, the 2011 Disclosure Guidance mandated that registrants disclose existing cybersecurity risks and cyber incidents in relevant SEC filings if those incidents and risks ‘are among the most significant factors that make an investment in the company speculative or risky’. In making this determination, registrants were told to consider factors such as the severity and frequency of any prior cyber incidents, ‘the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks’, and ‘the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware’.
In 2013, there were calls for the SEC to issue further guidance to make cybersecurity disclosures mandatory; the Commission declined to do so. Instead, it began issuing company-specific guidance about what cybersecurity disclosures the company should make. Additionally, in April 2013, the SEC adopted Regulation S-ID, which requires the development and implementation of identity theft programs by certain regulated financial institutions.
In March 2014, the SEC held a Roundtable on Cybersecurity. In her opening remarks, Mary Jo White, then chair of the SEC, called cybersecurity ‘a global threat’ to ‘all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer’. She explained that the SEC had ‘formal jurisdiction over cybersecurity’, which it was using to ‘directly focus on the integrity of our market systems, customer data protection, and disclosure of material information’.
Most recently (as at the time of writing), the Commission released updated public company disclosure guidance, in February 2018, ‘emphasiz[ing] that “cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission” ’ (the 2018 Guidance). Notably, the 2018 Guidance was issued by the Commission itself, rather than staff, which not only enhances the prescriptive value of the statement, but also serves as a marker that the Commission itself is focused on and has made cybersecurity disclosures a priority. The Commission’s statement, which is discussed more fully below, provided companies with much-needed supplementary and detailed guidance as to the SEC’s treatment of material cyber events.
In April 2018, the public finally saw the SEC’s guidance and interpretations about these issues play out in the Commission’s enforcement action against Yahoo! based on Yahoo!’s 2016 disclosures regarding 2013 and 2014 data breaches. The Commission’s Order detailed facts about what the SEC found deficient about Yahoo!’s disclosures. First, it found that Yahoo! materially misled investors by only disclosing potential future data breach risks, ‘without disclosing that a massive data breach had in fact already occurred’. Second, the SEC found fault with Yahoo!’s management discussion and analysis of financial conditions and results of operations (MD&A) as ‘it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 data breach’. By failing to disclose these possible financial effects on revenue from a cybersecurity incident, Yahoo!’s MD&A made ‘affirmative representations denying the existence of any significant data breaches in a . . . stock purchase agreement’, dealing with Verizon’s then-pending purchase of Yahoo!. Showing the material consequences of these events, Verizon renegotiated the purchase after learning of the data breaches, reducing the price by US$350 million. The SEC imposed a US$35 million civil penalty and issued a cease-and-desist order based on anti-fraud violations of the Securities Act and the financial reporting requirements of the Exchange Act.
While the Yahoo! case was the SEC’s first enforcement action based on inadequate cybersecurity disclosures, the Commission added to the dialogue later in 2018 with its ‘Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements’ relating to breakdowns in several companies’ internal financial controls, which had allowed each company to fall victim to business email compromises. The Commission identified nine issuers, who lost between US$1 million and US$30 million as a result of various forms of hacking and phishing attacks. The attacks caused the companies to make inappropriate payments to foreign bank accounts controlled by the perpetrators. The Commission concluded that the hacks exposed vulnerabilities in the companies’ internal financial controls by allowing these payments to be made even though the companies had certain levels of authorisation and verification, which were followed. The report’s bottom line message states:
internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds. Public issuers subject to the [internal control provisions of the federal securities laws] must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.
Financial regulations and SEC guidance
Board involvement, required disclosures and insider trading
It is evident that the SEC has adopted an increasingly vocal approach in response to the growing threats facing public companies and regulated entities in the cybersecurity field – from issuing guidance, making speeches and hosting roundtables to investigating, reporting on and charging violations stemming from cyber events. However, while cyberattacks are growing increasingly frequent, complex and widespread, there is still a dearth of laws and regulations aimed at ensuring public companies prioritise cybersecurity. The 2018 Guidance aimed to provide the most detailed view of the SEC’s opinion on cybersecurity matters. But this guidance is layered on top of an existing framework of disclosure and control regimes mandated by federal securities laws. While they are not specific to cybersecurity, it is increasingly clear that the SEC expects companies to treat these requirements as if they were, and views existing internal control and disclosure regulations as sufficient tools to compel companies to address their cybersecurity obligations.
Internal control for financial reporting obligations
The SEC’s most powerful financial accounting provisions, adopted more than 40 years ago, may prove to be some of the best tools for combating cyber risks and events. Provisions in the Exchange Act require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorisation. Specifically, Exchange Act Section 13(b)(2)(B) requires certain issuers to ‘devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization’, and that ‘(iii) access to assets is permitted only in accordance with management’s general or specific authorization’. Exchange Act Rules 13a-15 and 15d-15 require companies to maintain disclosure controls and procedures, and management must evaluate their effectiveness (‘A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurances that the business is adequately controlled.’) These regulations are merely signposts – ultimately issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks in complying with Section 13(b)(2)(B). Additionally, Exchange Act Rules 13a-14 and 15d-14:
require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures, and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures.
Thus, ‘[w]hile the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not’.
The 2018 Guidance
In this context, the 2018 Guidance stitches together the threads from prior guidance and the Exchange Act’s internal and disclosure control regimes to directly apply those regulations to cybersecurity risks and events.
Maintaining comprehensive disclosure and internal financial controls
The issuance of the 2018 Guidance established that, for public companies, key elements of enterprise-wide risk management includes managing cybersecurity risk policies and procedures and the adherence of those policies to federal securities laws. The 2018 Guidance encourages companies ‘to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure’, and to:
assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material non-public information about cybersecurity risks and incidents.
As a result, the 2018 Guidance stated plainly for the first time that the requirement of assessing the effectiveness of internal and disclosure controls must also include cybersecurity internal controls:
These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.
The 2018 Guidance explained that even in designing and evaluating disclosure controls and procedures pursuant to Exchange Act requirements, companies should consider how their controls and procedures mandate the detailing and processing of information relevant to cybersecurity risks and incidents that must be disclosed in filings.
Therefore, good corporate governance dictates that companies should strongly consider conducting forensic assessments of internal and external cyber threats and of a company’s cybersecurity systems. This process, which should be iterative and routine, gives management the confidence it needs to make the necessary assessments and certifications required under the federal securities laws, and to satisfy the 2018 Guidance.
Satisfying disclosure obligations
The standard for disclosure of cybersecurity risks and incidents remains ‘materiality’ under the 2018 Guidance. Thus, companies are directed to consider the materiality of such threats and events when preparing requisite disclosures in registration statements under the Securities Act or the Exchange Act, and the periodic and current reports under the Exchange Act. It is perhaps not surprising that the regulations governing the content of both Securities Act and Exchange Act registration statements and periodic reports and proxy statements required by the Exchange Act – generally found in Regulation S-K and Regulation S-X – do not directly refer to cybersecurity risks or incidents. However, the 2018 Guidance clarifies that these requirements should be read to require disclosure of material cybersecurity-related issues. Companies also have a general requirement under Exchange Act Rule 12b-20 to disclose any other material information that is needed to ensure that the required statements are not misleading. Today, cybersecurity risks must clearly be included within the scope of compliance with this rule as well.
In determining its disclosure obligations then, a company must carefully assess the potential materiality of any identified cyber risk and the importance of any information that is compromised by an incident. This assessment should consider the nature and the extent of the risk or incident, and the degree of harm to a company’s ‘reputation, financial performance, and customer vendor relationships, as well as the possibility of litigation or regulatory investigations or actions’. The SEC has recognised that such determinations can take time, and notes that it does not expect ‘detailed disclosures that could comprise [a company’s] cybersecurity efforts’ by disclosing ‘specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident’. Instead, the Commission ‘expects companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences’ and to do so in a timely manner.
Updating the board and auditors: when, what and who
If a company identifies a serious cyber risk, the company must work to determine how best to disclose the risk to its investors and board members and how to prevent the risk from materialising. If a company identifies not just a risk but an incident, the calculations change and the pressure intensifies as the company must properly contact all stakeholders while in the midst of a crisis. ‘Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.’ Sufficient advance planning, including well developed incident response plans, table-top exercises and crisis communications flow charts, is critical for companies to mitigate disclosure risks in the face of cyber events.
Management also needs to take substantive responsibility to ensure its board is adequately informed about how the company is dealing with cybersecurity risks and incidents. The federal securities laws require a company to disclose the extent of its board of directors’ role in overseeing risk, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. Thus, disclosure of material cybersecurity risks and incidents should include a discussion about the board’s role in managing and overseeing such risks and incidents.
Notifying the board
Once a risk or incident is identified, it is vital to maintain transparency with the board of directors as the threat or event evolves so that the board can best exercise its external and internal oversight function. Not only does board notification ensure proper public messaging, but it is necessary for the board to fulfil its legal duties to the company and ensure the company’s adherence to SEC reporting requirements.
Disclosures to the board should occur soon after what is deemed to be a material (or potentially material) risk or incident, in view of the directors’ duties to the company, which include the duty to obey the law, to fulfil the Caremark  duties of loyalty and care, and to assure, in good faith, that the company has a satisfactory information and reporting system. From the latter, it is within the purview of directorial duties to make sure the company has developed and implemented appropriate cyber risk management policies and vigorous security systems.
Working with auditors
The Commission will expect a company, as a best practice, to maintain a close and open relationship with its auditors. This expectation directly ties into Section 404(b) of the Sarbanes–Oxley Act of 2002, which requires a public company’s auditor to report on management’s assessment of its internal controls, and attest to the accuracy of the company management’s assertion that internal controls are in place, operational and effective in the same report as the one detailing management’s assessment. To help auditors with this task, companies should understand how auditors will assess the fidelity of corporate systems that contain data relevant to financial reporting and internal control requirements. As part of their testing and reviews, auditors often request information about the relevant information technology systems that could potentially affect a company’s reporting of financial results. To facilitate these reviews, companies should consider developing, reviewing and maintaining a list of those systems that record, interact with or could affect a company’s financial books and records or internal controls over financial reporting. Perhaps equally as important is maintaining a list of the credentials for each critical financial reporting related system. Ensuring that the auditors have a working understanding of the information technology environment of a company’s key financial controls systems may foster the cooperative relationship between management and the external auditors.
In the context of a breach response, auditors will be highly focused on whether the breach extended to the information technology systems associated with financial reporting. Thus, while understandably much of the company’s focus at such a time will be on the systems that were known to have been compromised, halting and remediating the breach, and performing a root cause analysis, an auditor’s task is different. The auditor will be focused on ensuring that the company’s financial reporting controls have not been compromised. This exercise may require establishing the negative – that these systems were not affected by the breach, which can present a unique forensic challenge. Here, both the auditor and management should be able to leverage earlier work done to understand the relevant systems and environment, particularly if there was a breach of such a system, so that the auditors can readily understand the information it contained and how the breach may have affected not only that system but the overall financial control environment. Ultimately, companies should expect auditors to seek to prove that certain sensitive information was not affected by the breach before they certify the internal financial systems according to SOX requirements.
Large audit firms also employ cybersecurity experts and may draw from that expertise in making such an assessment as it relates to cybersecurity risk controls; likewise, companies should consider whether they have sufficient expertise within their own ranks to meet this requirement. At a minimum, it is in a company’s best interest to maintain a close and informed relationship with its auditors.
Importantly, it remains an open question as to whether it is necessary for public companies to employ an individual with cybersecurity expertise on the board. For example, the Commission has questioned whether boards of directors ‘have been doing enough to oversee risk management within their companies’ particularly in the area of ‘ensuring the adequacy of a company’s cybersecurity measures’ – ‘a critical part of a board of director’s risk oversight responsibilities’. Thus, boards must ask themselves, just as they have members with accounting expertise to serve on the audit committee who bring appropriate oversight to the company’s chief financial officer and finance function, whether they have sufficient cybersecurity expertise to oversee the chief technology and information security officer and his or her functions within the company. To address this concern, companies may consider creating a separate independent risk committee on the board (already required for large financial institutions by the Dodd–Frank Act) and moving the risk oversight function from the purview of the board audit committee to this risk oversight committee. Additionally, companies should ensure they have the appropriate personnel to engage in effective cyber risk management and assessment. This may involve engaging auditors or experts, or implementing full-time board-level personnel focused on cybersecurity issues to help prevent and mitigate the effects of cyberattacks.
Providing updates to the SEC: what to say and when
Although, as noted above, the SEC recognises that it takes time to determine the severity and consequences of a cyber incident, the 2018 Guidance is notable for its emphasis on the need to disclose incidents promptly, even before the company understands the full scope of an attack. The Commission stated ‘we recognize that a company may require time to discern the implications of a cybersecurity incident . . . [and] that it may be necessary to cooperate with law enforcement’. And yet, the Commission has also stated – no doubt in response to accepted orthodoxy – that ‘an ongoing internal or external investigation—which can often be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity event’. Notably, companies and their counsel should expect that the SEC, whether raised in the context of the Division of Corporation Finance review process or a Division of Enforcement inquiry, will investigate the determination of materiality and the company’s knowledge at the time of the incident. This will involve questions from SEC staff relating to what senior management and the board knew, when they knew it, and how materiality was assessed in light of all the relevant facts and circumstances, including but not limited to prior cyber incidents and breaches. Finally, an initial disclosure is not enough – companies should focus on whether their disclosures need to be updated over time as the financial consequences of the incident are quantified and other consequences emerge, and whether the prior disclosures must be corrected.
As the cybersecurity threat landscape evolves, so too must companies’ approach to disclosure. It is clear that management and boards will be expected to maintain high standards by regulators and investors. Gone are the days of professing shock and disappointment when cyber events occur – companies today will be judged on the quality and timeliness of their response, their efforts at defence and, perhaps most critically for the SEC, whether the disclosures accurately disclosed the material risks and material events.
1 Michael E Liftik is a partner at Quinn Emanuel Urquhart & Sullivan LLP. Kristin S Starr is a former associate.
2 Div. of Corp. Fin. SEC, CF Disclosure Guidance: Topic No. 2 – Cybersecurity (13 Oct 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
6 Letter from John D Rockefeller IV, Chairman, Comm. on Commerce, Sci. & Transp. to Mary Jo White, Chair, SEC (9 Apr 2013), available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51.
7 Letter from Mary Jo White, Chair, SEC, to John D Rockefeller IV, Chairman, Comm. on Commerce, Sci. & Transp. (1 May 2013), available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=7b54b6d0-e9a1-44e9-8545-ea3f90a40edf.
9 Mary Jo White, Chair, SEC, Opening Statement at SEC Roundtable on Cybersecurity (26 Mar 2014), https://www.sec.gov/news/public-statement/statement-3-26-14-mjw.
11 ‘Commission Statement and Guidance on Public Company Cybersecurity Disclosures’, at 2 (21 Feb 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf [2018 Guidance]; see also World Economic Forum Insight Report, ‘The Global Risks Report 2018’, at 6 (17 Jan 2018), available at http://www3.weforum.org/docs/WEF_GRR18_Report.pdf [World Economic Forum Report] (identifying cyberattacks as one of the top five global risks in terms of likelihood).
12 Order Instituting Cease-and-Desist Proceedings Pursuant to Section 8A of the Securities Act of 1933 and Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc. (SEC, 24 Apr 2018).
15 SEC, ‘Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements’, 2 (16 Oct 2018) [SEC Cybersecurity 21(a) Report], available at https://www.sec.gov/litigation/investreport/34-84429.pdf. The Cybersecurity 21(a) Report utilises a Commission mechanism that allows the Division of Enforcement to report on an investigation when it determines that an enforcement is not appropriate. See Securities Exchange Act Section 21(a); 15 USC Section 78u(a).
16 See SEC Cybersecurity 21(a) Report (footnote 15), at 3 and 4.
17 ibid., at 6.
18 15 USC Section 78m(b)(2)(B), paras. (i) and (iii).
19 17 CFR 240.13a-15; 17 CFR 240.15d-15.
20 S. Rep. No. 95-114, at 8 (1977) (1977 Senate Report); see also ‘Promotion of the Reliability of Financial Information and Prevention of the Concealment of Questionable or Illegal Corporate Payments and Practices’, Exchange Act Release No. 15570, at 6 (15 Feb 1979) (adopting release) (‘An equally important objective of the new law . . . is the goal of corporate accountability.’).
21 See 1977 Senate Report, at 8 (‘management must exercise judgment in determining the steps to be taken, and the cost incurred, in giving assurance that the objectives expressed, will be achieved.’); The Council of Economic Advisers, ‘The Cost of Malicious Cyber Activity to the U.S. Economy’, at 45 (Feb 2018), available at https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of -Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf (‘Private firms are ultimately in the best position to figure out the most appropriate sector- and firm-specific cybersecurity practices.’); 2018 Guidance (footnote 11), at 4 and 5 (‘In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.’).
22 17 CFR 240.13a-14; 17 CFR 240.15d-14.
23 2018 Guidance (footnote 11), at 20.
24 See SEC Cybersecurity 21(a) Report (footnote 15).
25 2018 Guidance (footnote 11), at 18.
26 ibid., at 18 and 19.
27 ibid., at 20 (emphasis added).
28 ibid., at 19 and 20.
29 ibid., at 7.
30 17 CFR part 229.
31 17 CFR part 210.
32 2018 Guidance (footnote 11), at 7 and 8.
33 Rule 408 of the Securities Act [17 CFR 230.408]; Rule 12b-20 of the Exchange Act [17 CFR 240.12b-20]; and Rule 14a-9 of the Exchange Act [17 CFR 240.14a-9].
34 2018 Guidance (footnote 11), at 10 and 11.
35 ibid., at 11.
36 ibid., at 11 and 12.
37 ibid., at 4.
38 See, e.g. Item 407(h) of Regulation S-K and Item 7 of Schedule 14A (17 CFR 229.407(h); 17 CFR 240.14a-101 – Schedule 14A).
39 2018 Guidance (footnote 11), at 18.
40 In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996).
41 Sarbanes–Oxley Act of 2002, Section 404(b).
42 Luis A Aguilar, SEC, ‘Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus’ (10 Jun 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946.
43 For the government corollary of this principle, see Executive Office of the President, Office of Management and Budget, OMB Circular No. A-123, ‘Management’s Responsibility for Enterprise Risk Management and Internal Control’ (15 Jul 2016), available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf.
44 2018 Guidance (footnote 11), at 12.