The US Securities and Exchange Commission (SEC) has issued an interpretive release to provide guidance to public companies when preparing disclosures about cybersecurity risks and incidents. The release also communicates the SEC’s views on the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. So what are the implications in supplier risk management?

Given the frequency, magnitude and cost of cybersecurity incidents, the SEC says that public companies should take all required actions to inform investors about material actual and potential cybersecurity risks and incidents, including industry-specific risks and third-party supplier and service-provider risks. DCAT Value Chain Insights examines the requirements.

Inside the requirements

The US Securities and Exchange Commission (SEC) interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents was published in the February 26, 2018 edition of the Federal Register. “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” said SEC Chairman Jay Clayton in a February 21, 2018 statement in commenting on the guidance. “In today’s environment, cybersecurity is critical to the operations of companies and our markets,” said the SEC chairman in the statement. “Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the Commission. Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion,” he said.

In 2011, the SEC’s Division of Corporation Finance issued guidance that provided the Division’s views regarding disclosure obligations that relate to cybersecurity risks and incidents. The new guidance reinforces and expands the Division’s prior guidance. The new guidance highlights the disclosure requirements under the federal securities laws that public operating companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents. It also addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading, and selective disclosures.

”There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve,” said the SEC chairman in the release. “I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed,” he said.

Given the frequency, magnitude, and cost of cybersecurity incidents, the SEC specifies in the guidance that it believes that it is “critical” that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack. “Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents,” said the SEC in its guidance. “In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or likely to face.

The guidance points out that in determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations. The guidance specifies that the materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.

In its guidance, the SEC says it does expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident. The SEC, however, says it does expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences. For example, the SEC points out that past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure. In certain circumstances, this type of contextual disclosure may be necessary to effectively communicate cybersecurity risks to investors, said the SEC in its guidance.

Cybersecuirty risk factors

The guidance outlines several issues for companies to consider in evaluating cybersecurity risk factor disclosure. They include: (1) the occurrence of prior cybersecurity incidents, including their severity and frequency; (2) the probability of the occurrence and potential magnitude of cybersecurity incidents; (3) the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks; (3) the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service-provider risks; and (4) the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers; (5) the potential for reputational harm; (6) existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and (7) litigation, regulatory investigation, and remediation costs associated with cybersecurity incident.