Issue link: https://digital.shearman.com/i/1425392
Shearman & Sterling LLP Cybersecurity | 14 Cybersecurity | 14 Shearman & Sterling LLP WHAT SHOULD THE BOARD AND MANAGEMENT BE DOING NOW? Review Periodic Disclosures Most companies have heard the SEC on disclosure and know what the SEC expects companies to describe related to cybersecurity risks, the costs associated with prevention and the possibility of a cybersecurity event happening. No company should be expected to provide the details of any cybersecurity event to the extent that it becomes vulnerable to new attacks, but the SEC expects transparency about a company's cybersecurity history. Disclosure about hypothetical risks when the risk has happened is a ripe target for review and potential enforcement by the SEC. With the renewed focus on cybersecurity, it is advisable to review disclosures now. Disclosure Controls and Procedures The recent SEC enforcement actions reaffirm the importance of ensuring that a company's disclosure committee is directly connected to those responsible for evaluating and reporting on cybersecurity risks, incidents and events. The escalation procedures within a company's information security department should be reviewed to ensure that they require reporting to a disclosure committee representative when incidents occur and on an ongoing basis as the scope and cause of the incident is investigated and understood. Companies should train and test to make sure this information sharing is happening. The SEC has made it clear that establishing these processes and procedures is important. Take Care When Disclosing the Occurrence of a Cyber Incident The recent Pearson matter makes it clear that the SEC will scrutinize more than just the timing of disclosures related to a cybersecurity incident. The SEC will also look closely at what a company says about an actual cyberattack to ensure that it is not misstating or omitting material information. There will likely be strong pressure from a number of internal stakeholders to downplay the incident by limiting the description of what happened, including, for example, the extent of the data that may have been compromised, and to use strong words to reassure investors, customers, business partners and employees that the company has robust cybersecurity controls in place. Be aware that the SEC is reading these statements too. The SEC may take the view that an overly assertive statement about the rigor of existing cybersecurity protections may be inconsistent with the occurrence of the event in question. Cyber Expertise on the Board Consider how the company will respond if the SEC mandates disclosure related to the cybersecurity expertise on the board. The anticipated rulemaking from the SEC will likely propose a disclosure requirement in the proxy statement that asks companies to disclose what board committee oversees cybersecurity and whether the board has cybersecurity expertise and, if not, how the board obtains this expertise. For some companies, affirmatively disclosing that the board does not have or is not seeking to add this expertise may not be practical. Insider Trading Review your insider trading policy to ensure that cybersecurity incidents are specifically identified. Additionally, ensure that a process is in place whereby those with the responsibility for establishing trading blackout periods are promptly informed of the occurrence of a cybersecurity event or incident.