SEC’s Updated Cybersecurity Disclosure Guidelines Leave Questions Unanswered

By: Ifrah Law

As previewed in our previous post, the United States Securities and Exchange Commission (“SEC”) unanimously approved new cybersecurity interpretive guidance—a format used to clarify the SEC’s views on security laws and regulations—on Wednesday of last week. The guidelines make no mention of how they affect and interplay with other regulators’ data privacy requirements, so whether compliance with these guidelines absolves companies of liabilities is a crucial question left for another day.

The new SEC guidance builds on a 2011 SEC report on the same topic and calls for public companies to be more transparent regarding their cybersecurity risks—both before and after an attack. The guidance encourages public companies to implement policies that allow them to quickly assess cybersecurity risks and decide when to tell the public.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion,” the report states, “including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.” While companies are not required to make public sensitive information that could compromise their cybersecurity protections, the SEC guidance states that they also cannot use internal or law enforcement investigations as an excuse for not informing the public:

“We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”

The SEC guidance also makes clear that it does not want a repeat of the Equifax situation, an instance in which concerns about insider trading emerged last year after Equifax Inc. revealed several executives had sold shares in the days between the company’s discovery of a breach and its disclosure. An Equifax board review found no wrongdoing, but many, including the SEC, were disturbed by the chain of events. Thus, the 2018 guidance encourages public companies to create polices that prevent corporate insiders from trading shares when they have important nonpublic information regarding cyber incidents.

“I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors, SEC Chairman Jay Clayton said in a statement. Democratic commission members Kara Stein and Robert Jackson, however, were less optimistic in their separately-issued statements in which they lamented the limited action taken by the SEC’s new guidance.

Commissioner Jackson wrote that “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy.” Jackson further stated the new guidance “essentially reiterates years-old staff-level views on the issue,” and referenced a recent report from the White House Council of Economic Advisers that found companies frequently underreport cybersecurity events to investors.

Calling the guidance “far from robust,” Stein argued that the new interpretation is largely redundant of the SEC’s 2011 guidance. Quoting a 2014 study, she stated the 2011 guidance “resulted in a series of disclosures that rarely provide differentiated or actionable information for investors.” “It may provide investors a false sense of comfort that we, at the Commission, have done something more than we have,” Stein said.

In their statements, both Stein and Jackson suggest various initiatives the SEC could take to protect investors on cybersecurity issues: more rigorous rulemaking to police disclosure around cybersecurity issues, requiring certain cybersecurity policies at public companies, the creation or improvement of incentives and penalties to motivate firms to increase their cybersecurity infrastructure, and/or deeper analysis of the impact of the 2011 guidance.

Putting aside these critiques, the SEC’s guidelines raise one resounding question: how do these guidelines interplay with other regulator’s (typically more stringent) data privacy requirements? The European Parliament, for instance, requires that companies dealing with European Union citizens’ data comply with the General Data Protection Regulation (“GDPR”). The GDPR takes a wide view of what constitutes personal identification information and requires the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. Closer to home, most U.S. states have their own data privacy requirements. For instance, Massachusetts was one of the first states to enact information security requirements for companies doing business within its borders. The question remains, then, whether compliance with the SEC’s new guidance is the ceiling or the floor? When boards, shareholders, and/or the public bring lawsuits against public companies following data breaches, will following the SEC guidance be enough to shield a company from liability? Until new guidance is issued from the SEC, these questions will remain in play.