During the past several months, the US Securities and Exchange Commission (“SEC” or “Commission”) has increasingly emphasized the importance of robust disclosure by public (and possibly private) companies of their exposure to and management of cybersecurity risk. For example, the SEC issued guidance on cybersecurity disclosures for public companies earlier this year that we discussed in detail in our March 2018 Corporate newsletter. In recent weeks, in furtherance of its view that this is an area to be emphasized, the SEC issued a report relating to an investigation that the Commission conducted with respect to several companies regarding their failures in this area, involving wiring of large sums to hackers impersonating issuer executives or vendors. The SEC issued the report to make issuers and other market participants aware of the failures of those companies, the importance of enhanced accounting controls to address cyber risk and the SEC’s heightened scrutiny in this area. While the SEC has not yet proposed any monetary penalties against these companies, the fact that the Commission is broadcasting its efforts is a clear indication that cyber security is a material issue for the SEC in 2019. Whether it is susceptibility to direct regulatory sanctions, comments on offering materials, impediments to acceleration requests or something else, in order to mitigate their risks, current and future public companies MUST carefully heed the SEC’s concerns relating to cyber and data security.
Even non-public companies that intend to access private markets must address their disclosure obligations, as the SEC’s position is likely to impact the ongoing development of Rule 10b-5 and other antifraud laws impacting private market participants and those involved in mergers and acquisitions and financing activity.
The SEC has expressly expressed concern regarding the following data security issues
- Adequacy of general accounting controls as they impact exposure to phishing and other cyber-fraud. The SEC’s most recent release directly covered these related disclosures:
In light of the risks associated with today’s ever-expanding digital interconnectedness, public companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds. More specifically, Section 13(b)(2)(B)(i) and (iii) require certain issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.
Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.
- Disclosure in offering and periodic/incident-based reporting materials of actual cyber incidents and related losses, whether or not rising to the level of “materiality”;
- Efforts to mitigate of risk to issuer (and counterparty) intellectual property such as, but not only, trade secrets (chemical formulae, customer lists, pricing schedules, customer history and the like); a key issue that is addressed in both 2018 releases by the SEC and in an SEC release from 2011; and
- Information asset governance and oversight by senior management and boards of directors, as an essential component of the general corporate governance and risk management processes.
While not addressed by the SEC to the same extent as the foregoing issues, given the numerous, recent privacy-related controversies involving use of individuals’ information by large technology companies in ways not anticipated by the individuals, as well as the recently enacted expansive privacy legislation such as the European Union’s General Data Protection Regulation and similar California legislation, practices around data collection, use and sharing of such information, even absent wrongful access by third parties, will also be a focus of the SEC and perhaps the subject of future guidance documents from the Commission.
FisherBroyles, LLP Corporate and Cybersecurity/Privacy partners will be happy to work with clients to develop cost-effective compliance strategies fitted to each client’s specific circumstances, including with respect to developing more robust internal controls in light of risks arising from cyber-related frauds. There are also several steps which should be taken by all current and aspiring public clients and are strongly recommended by those interested in Regulation D, Regulation A+, crowdfunding or similar private financings:
- Regularly include cybersecurity on board agendas and ensure that minutes reflect such discussion;
- Review and augment internal controls over cash disbursements, and related documentation to address the phishing risk which prompted the most recent SEC action;
- Include in internal canvasing around 10K, 10Q and 8K (and 1933 act registration statements) preparation, appropriate queries to identify relevant incidents that the SEC wants disclosed;
- Provide training on cybersecurity policies and requirements to employees; and
- Frequently revisit with counsel and senior management, now-boilerplate public disclosures pertaining to this topic to determine whether they are still accurate and complete (while not facilitating fraud!).
Please contact your FisherBroyles lead to discuss these and other privacy matters.
FisherBroyles, LLP – Cloud-based. Not Virtual™
Founded in 2002, FisherBroyles, LLP was the first in the U.S., and now the largest full-service, distributed law firm in the world. The Next Generation Law Firm® has grown to approximately 220 attorneys in 21 offices nationwide. FisherBroyles’ unique platform leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at www.fisherbroyles.com to learn more about our firm’s unique approach and how we can best meet your legal needs.
These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.
© 2018 FisherBroyles LLP