Issue link: https://digital.shearman.com/i/1425392
Shearman & Sterling LLP 11 | Cybersecurity The SEC Double-Clicks on Cybersecurity Lona Nallengara and Richard B. Alsop Insights Although the focus of many public company boards as they look forward into 2022 will be on how to assess, measure and talk about climate risks and opportunities, human capital issues and ESG more generally, boards and management should not lose sight of the importance of cybersecurity risk. Board attention to cybersecurity matters has been steadily increasing over the past five years to the point where today nearly all of the Top 100 Companies identify cybersecurity matters as a key board responsibility and as part of the board's oversight of risk management, compared to about 60% of the Top 100 Companies in 2017. Corporate boards are not alone in their focus on cybersecurity. The SEC over the last few years has increasingly been flexing its muscles in cybersecurity matters, and recent actions suggest that management and boards should be paying attention. A few short years ago, the focus of the SEC was largely whether risk factor disclosures adequately and completely presented the cybersecurity risks a public company was facing. Applicable SEC interpretative guidance indicated that adequate risk disclosure required reasonable specificity and, in particular, whether the company had actually experienced the risk that was identified. The SEC made it clear that it was not enough to say a cyberattack could happen; investors needed to know whether one had already happened. This disclosure requirement remains, but the expectations with respect to what a company says and does when a cyberattack occurs and what management and the board have done leading up to the attack are increasingly coming under SEC scrutiny. Interpretive Guidance In February 2018, the SEC released new interpretive guidance on public company disclosures regarding cybersecurity risks and incidents, which outlined the SEC's views regarding disclosures by public companies relating to cybersecurity risks, events and incidents under existing securities laws. The interpretive guidance provided a useful framework for thinking about the various areas where cybersecurity-related disclosures may need to be made, such as risk factors, business description, MD&A, legal proceedings and financial statement disclosures. More importantly, the interpretive guidance outlined, for the first time, the SEC view that: • Public companies should be describing the role that boards of directors have in cybersecurity-related risk management to the extent those risks are material to their businesses; • Public companies should maintain adequate disclosure controls and procedures so that those individuals responsible for disclosures are promptly alerted of cybersecurity incidents and a timely materiality and disclosure assessment can be made; and • Public companies should have policies and procedures that restrict the ability of officers, directors and other insiders from trading before a decision has been made regarding the materiality of and disclosure related to a cyber incident.