USLAW-Magazine_FallWinter2018

Recommendations

Info

2 www.uslaw.org U S L A W 35 Million Reasons to Heed New SEC Guidance on Cybersecurity Disclosure Requirements By John McCauley Esq., CIPP (US)(E) Bingham Greenebaum Doll LLP The Securities and Exchange Commission has released new guidance (“Guidance”) to ensure public companies disclose cybersecurity incidents and risks to their investors. As evidence of its view of the importance of the Guidance, the SEC in April 2018 announced a $35 million settlement with Altaba, (formerly Yahoo), which waited two years to disclose a massive data breach in 2014. In February 2018, the Securities and Exchange Commission (“Commission”) approved Interpretive Guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The decision vote to approve the Guidance comes at a time when the significance of cybersecurity incidents is increasing. The Guidance outlines the Commission’s views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. WHY GIVE GUIDANCE? After the issuance of Guidance in 2011, the SEC found many companies included additional cybersecurity disclosure, typically in the form of risk factors. However, given the frequency, magnitude and costs associated with cybersecurity incidents to public companies, the SEC believes companies must take all required actions to inform investors about a material cybersecurity risk or incident in a timely manner. Companies that are the victim of a cyberattack or other cybersecurity incident often incur substantial costs, including remediation costs, increased cybersecurity protection costs, reputational harm, and litigation and legal risks, including regulatory actions by governmental authorities.
U S L A W www.uslaw.org 3 It is important to note that the Guidance outlined regarding disclosure also applies to companies that have not yet had an incident but may be at risk for a cyberattack. The Commission’s Interpretive Guidance focuses on two areas that were not addressed in the Division of Finance’s Guidance – 1) the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents; and 2) the application of insider trading prohibitions in the cybersecurity context. POLICIES AND PROCEDURES The SEC expects companies to disclose any cybersecurity risk or incident that is material to investors, including the concomitant financial, legal or reputational consequences. Companies will have to weigh the potential materiality of any identified risk, the importance of any compromised information and the impact of the incident on the company’s operations. Companies should also avoid a generic approach to completing the disclosure forms and provide specific information that is useful to investors. But this does not mean companies are to give a roadmap regarding their security plans, such as technical information about their cybersecurity efforts or other details that will make the company and its technology more susceptible to an incident. Companies have a duty to correct prior disclosures that the company later determines were untrue at the time they were made. Companies should consider whether they need to revisit or refresh any previous disclosures, including during the process of investigating a cybersecurity incident, in light of this new Guidance. In addition, the SEC encourages companies to adopt comprehensive policies and procedures related to cybersecurity disclosure. Compliance with these policies and procedures should be evaluated regularly. INSIDER TRADING Companies and their directors, officers and other corporate insiders are obligated to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents. They must be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. The SEC notes it is continuing to monitor cybersecurity disclosures carefully. In fact, in March 2018, the federal government filed criminal and civil charges against Jun Ying, a former chief information officer at Equifax Inc., over alleged insider trading linked to Equifax’s massive data breach in 2017. He is accused of using confidential information to conclude the company suffered a serious breach, and then sold his shares of the company before the breach was announced, making nearly $1 million. By selling before the data breach was publicly disclosed, he avoided nearly $117,000 in losses, according to the SEC. It is the first time the U.S. government has charged someone with insider trading after allegedly profiting from information about a cyberattack. The Commission encourages companies to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to a cybersecurity risk or incident. It is prudent for companies to consider how to avoid the appearance of improper trading during the period following a cybersecurity incident and before information about the disclosure is disseminated. TAKE ACTION On April 24, 2018, the SEC announced the $35 million settlement with Altaba to resolve the Commission’s charges that Yahoo deceived investors by not disclosing a massive data breach in December 2014 to the investing public until 2016 when it was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. Yahoo neither admitted nor denied the findings in the SEC’s order. The message from the SEC is clear – the Division of Finance will continue to carefully monitor cybersecurity disclosures as part of its selective filing reviews. Public companies should work with their legal and compliance teams to evaluate their controls and procedures regarding securities law disclosure obligations and how to avoid the appearance of improper insider trading during the time after a cybersecurity incident but before that information has been included in a disclosure. Bingham Greenebaum Doll LLP Partner John McCauley provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness. As a Certified Information Privacy Professional, he assists clients in identifying, evaluating and managing risks associated with privacy and information security practices.
Page 1 and 2: F A L L | W I N T E R | 2 0 1 8 ATT
Page 3 and 4: www.uslaw.org From the Incoming Cha
Page 5: U S L A W www.uslaw.org 1 www.uslaw
Page 9 and 10: U S L A W www.uslaw.org 5 both them
Page 11 and 12: U S L A W www.uslaw.org 7 your spou
Page 13 and 14: U S L A W www.uslaw.org 9 GDPR succ
Page 16 and 17: 1 2 www.uslaw.org U S L A W AVOIDIN
Page 18 and 19: 1 4 www.uslaw.org U S L A W Address
Page 20 and 21: 1 6 www.uslaw.org U S L A W CAVEAT
Page 22 and 23: 1 8 www.uslaw.org U S L A W Messagi
Page 24 and 25: 2 0 w w w . u s l a w . o r g U S L
Page 26 and 27: 2 2 www.uslaw.org U S L A W A LONG
Page 28 and 29: 2 4 www.uslaw.org U S L A W THE EVO
Page 30 and 31: 2 6 www.uslaw.org U S L A W Before
Page 32 and 33: 2 8 www.uslaw.org U S L A W LOCKING
Page 34 and 35: 3 0 www.uslaw.org U S L A W Trying
Page 36 and 37: 3 2 www.uslaw.org U S L A W THE LEG
Page 38 and 39: 3 4 www.uslaw.org U S L A W Balance
Page 40 and 41: 3 6 www.uslaw.org U S L A W NAVIGAT
Page 42 and 43: 3 8 www.uslaw.org U S L A W Doing b
Page 44: Beyond reasonable doubt, we’re th
Page 48 and 49: 4 4 www.uslaw.org U S L A W Matthew
Page 50 and 51: 4 6 www.uslaw.org U S L A W PRO BON
Page 52 and 53: 4 8 www.uslaw.org U S L A W Success
Page 54 and 55: 5 0 www.uslaw.org U S L A W plainti
Page 56 and 57:
5 2 www.uslaw.org U S L A W USLAW N
Page 58 and 59:
® ® 5 4 www.uslaw.org U S L A W E
Page 60 and 61:
5 6 www.uslaw.org U S L A W STATE J
Page 62 and 63:
5 8 www.uslaw.org U S L A W RAPID R
Page 64 and 65:
6 0 www.uslaw.org U S L A W 2018 US
Page 68:
® ® The Internet of Things and th
show all

USLAW-Magazine_FallWinter2018

Create successful ePaper yourself

Delete template?

Save as template?