83 FR 8166 - Commission Statement and Guidance on Public Company Cybersecurity Disclosures
SECURITIES AND EXCHANGE COMMISSION Federal Register Volume 83, Issue 38 (February 26, 2018)
Federal Register Volume 83, Issue 38 (February 26, 2018)
| Page Range | 8166-8172 | |
| FR Document | 2018-03858 |
[Federal Register Volume 83, Number 38 (Monday, February 26, 2018)] [Rules and Regulations] [Pages 8166-8172] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-03858] ======================================================================= ----------------------------------------------------------------------- SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 229 and 249 [Release Nos. 33-10459; 34-82746] Commission Statement and Guidance on Public Company Cybersecurity Disclosures AGENCY: Securities and Exchange Commission. ACTION: Interpretation. ----------------------------------------------------------------------- SUMMARY: The Securities and Exchange Commission (the ``Commission'') is publishing interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. DATES: Applicable February 26, 2018. FOR FURTHER INFORMATION CONTACT: Questions about specific filings should be directed to staff members responsible for reviewing the documents the company files with the Commission. For general questions about this release, contact the Office of the Chief Counsel at (202) 551-3500 in the Division of Corporation Finance, U.S. Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549. SUPPLEMENTARY INFORMATION: I. Introduction A. Cybersecurity Cybersecurity risks pose grave threats to investors, our capital markets, and our country.\1\ Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the U.S. economy depend on the security and reliability of information and communications technology, systems, and networks. Companies today rely on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission. --------------------------------------------------------------------------- \1\ The U.S. Computer Emergency Readiness Team defines cybersecurity as ``[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.'' U.S. Computer Emergency Readiness Team website, available at https://niccs.us-cert.gov/glossary#C (Adapted from: CNSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS National Preparedness Goal; White House Cyberspace Policy Review, May 2009). --------------------------------------------------------------------------- As companies' exposure to and reliance on networked systems and the internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased.\2\ Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century. Cybersecurity incidents \3\ can result from unintentional events or deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states, and ``hacktivists.'' \4\ Companies face an evolving landscape of cybersecurity threats in which hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks, and distributed denial-of-service attacks, among other means. The objectives of cyber- attacks vary widely and may include the theft or destruction of financial assets, intellectual property, or other sensitive information belonging to companies, their customers, or their business partners. Cyber-attacks may also be directed at disrupting the operations of public companies or their business partners. This includes targeting companies that operate in industries responsible for critical infrastructure. --------------------------------------------------------------------------- \2\ See World Economic Forum, Global Risks Report 2017, 12th Ed. (Jan. 2017), available at https://www.weforum.org/reports/the-global-risks-report-2017 (concluding that ``greater interdependence among different infrastructure networks is increasing the scope for systemic failures--whether from cyber-attacks, software glitches, natural disasters or other causes--to cascade across networks and affect society in unanticipated ways.''). See also PwC, ``Turnaround and Transformation in Cybersecurity: Key Findings from the Global State of Information Security Survey 2016'' (Oct. 2015), available at https://www.pwccn.com/en/retail-and-consumer/rcs-info-security-2016.pdf. (finding that in 2015 there was a reported 38% increase in detected information security incidents from 2014). \3\ A ``cybersecurity incident'' is ``[a]n occurrence that actually or potentially results in adverse consequences to . . . an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.'' U.S. Computer Emergency Readiness Team website, available at https://niccs.us-cert.gov/glossary#I. \4\ One study using a sample of 419 companies in 13 countries and regions noted that 47 percent of data breach incidents in 2016 involved a malicious or criminal attack, 25 percent were due to negligent employees or contractors (human factor) and 28 percent involved system glitches, including both IT and business process failures. See Ponemon Institute and IBM Security, 2017 Cost of Data Breach Study: Global Overview (Jun. 2017), available at https://www.ponemon.org/library/2017-cost-of-data-breach-study-united-states. --------------------------------------------------------------------------- Companies that fall victim to successful cyber-attacks or experience [[Page 8167]] other cybersecurity incidents may incur substantial costs \5\ and suffer other negative consequences, which may include: --------------------------------------------------------------------------- \5\ The average organizational cost of a data breach in the United States in 2016 was $7.35 million based on the sample in the study. Id. However, the total costs a company may incur in connection with a particular cyber-attack or incident could be much higher. ---------------------------------------------------------------------------Remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack; \6\ --------------------------------------------------------------------------- \6\ A company's costs may also include payments to perpetrators of ransomware attacks in order to attempt to restore operations or protect customer data or other proprietary information. But see Federal Bureau of Investigation, ``How To Protect your Network from Ransomware,'' Ransomware Prevention and Response for CISOs, available at https://www.justice.gov/criminal-ccips/file/872771/download. --------------------------------------------------------------------------- increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack; litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities; \7\ --------------------------------------------------------------------------- \7\ See, e.g., New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies; European Union General Data Protection Regulation, Council Regulation 2016/679, 2016 O.J. (L 119) 1. --------------------------------------------------------------------------- increased insurance premiums; reputational damage that adversely affects customer or investor confidence; and damage to the company's competitiveness, stock price, and long-term shareholder value. Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack. Crucial to a public company's ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.\8\ In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company's directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face. --------------------------------------------------------------------------- \8\ See Section II.B.1 below for further discussion of disclosure controls and procedures. --------------------------------------------------------------------------- Additionally, directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company. Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information.\9\ In addition, we believe that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material. We recognize that many companies have adopted preventative measures to address the appearance of improper trading and we encourage companies to consider such preventative measures in the context of a cyber event. --------------------------------------------------------------------------- \9\ See Section II.B.2 below for further discussion of insider trading. --------------------------------------------------------------------------- B. CF Disclosure Guidance: Topic No. 2 In October 2011, the Division of Corporation Finance (the ``Division'') issued guidance that provided the Division's views regarding disclosure obligations relating to cybersecurity risks and incidents.\10\ The guidance explains that, although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents.\11\ After the issuance of the guidance, many companies included additional cybersecurity disclosure, typically in the form of risk factors.\12\ --------------------------------------------------------------------------- \10\ See CF Disclosure Guidance: Topic No. 2--Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. \11\ Id. \12\ For example, Willis North America released a 2013 report that found that approximately 88% of the public Fortune 500 companies and about 78% of the Fortune 501-1000 companies included risk factor disclosure regarding cybersecurity in their annual reports filed in 2012. See Willis Fortune 1000 Cyber Disclosure Report (Aug. 2013), available at http://blog.willis.com/wp-content/uploads/2013/08/Willis-Fortune-1000-Cyber-Report_09-13.pdf. In 2015, over 88% of Russell 3000 companies disclosed cybersecurity as a risk. See Audit Analytics, ``Cybersecurity Disclosure in Risk Factors,'' (Jan. 14, 2016), available at http://www.auditanalytics.com/blog/cybersecurity-disclosures-in-risk-factors/. --------------------------------------------------------------------------- C. Purpose of Release In light of the increasing significance of cybersecurity incidents, the Commission believes it is necessary to provide further Commission guidance. This interpretive release outlines the Commission's views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies.\13\ While the Commission continues to consider other means of promoting appropriate disclosure of cyber incidents, we are reinforcing and expanding upon the staff's 2011 guidance. In addition, we address two topics not developed in the staff's 2011 guidance, namely the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context. --------------------------------------------------------------------------- \13\ This release does not address the specific implications of cybersecurity to other regulated entities under the federal securities laws, such as registered investment companies, investment advisers, brokers, dealers, exchanges, and self-regulatory organizations. For example, in 2014 the Commission adopted Regulation Systems Compliance and Integrity, applicable to certain self-regulatory organizations, to strengthen the technology infrastructure of the U.S. securities markets. Final Rule: Regulation Systems Compliance and Integrity, Release No. 34-73639 (Nov. 19, 2014) [79 FR. 72252 (Dec. 5, 2014)], available at https://www.sec.gov/rules/final/2014/34-73639.pdf. For additional cybersecurity regulations and resources, see the Commission's website page devoted to cybersecurity issues, available at https://www.sec.gov/spotlight/cybersecurity; see also Cybersecurity Guidance; IM Guidance Update (April 2015), available at https://www.sec.gov/investment/im-guidance-2015-02.pdf (staff guidance on cybersecurity measures for registered investment companies and investment advisers). --------------------------------------------------------------------------- First, this release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure [[Page 8168]] controls and procedures assist companies in satisfying their disclosure obligations under the federal securities laws. Second, we also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.\14\ --------------------------------------------------------------------------- \14\ See Final Rule: Selective Disclosure and Insider Trading, Release No. 33-7881 (Aug. 15, 2000) [65 FR 51715 (Aug. 24, 2000)], available at https://www.sec.gov/rules/final/3-7881.htm. --------------------------------------------------------------------------- The Commission, and the staff through its filing review process, continues to monitor cybersecurity disclosures carefully. II. Commission Guidance A. Overview of Rules Requiring Disclosure of Cybersecurity Issues 1. Disclosure Obligations Generally; Materiality Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements under the Securities Act of 1933 (``Securities Act'') and the Securities Exchange Act of 1934 (``Exchange Act''), and periodic and current reports under the Exchange Act.\15\ When a company is required to file a disclosure document with the Commission, the requisite form generally refers to the disclosure requirements of Regulation S-K \16\ and Regulation S-X.\17\ Although these disclosure requirements do not specifically refer to cybersecurity risks and incidents, a number of the requirements impose an obligation to disclose such risks and incidents depending on a company's particular circumstances. For example: --------------------------------------------------------------------------- \15\ Listed companies also should consider any obligations that may be imposed by exchange listing requirements. For example, the NYSE requires listed companies to ``release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.'' See NYSE Listed Company Manual Rule 202.05--Timely Disclosure of Material News Developments. In addition, in 2015, the NYSE, in partnership with Palo Alto Networks, published a summary of information about legal and regulatory aspects of cybersecurity governance for directors and officers of public companies. See Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. Chicago: Caxton Business & Legal, Inc., 2015, available at https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity-9780996498203-no_marks.pdf. Similarly, Nasdaq requires listed companies to ``make prompt disclosure to the public of any material information that would reasonably be expected to affect the value of its securities or influence investors' decisions.'' See Nasdaq Listing Rule 5250(b)(1). \16\ 17 CFR part 229. \17\ 17 CFR part 210. --------------------------------------------------------------------------- Periodic Reports: Companies are required to file periodic reports \18\ to disclose specified information on a regular and ongoing basis.\19\ These periodic reports include annual reports on Form 10- K,\20\ which require companies to make disclosure regarding their business and operations, risk factors, legal proceedings, management's discussion and analysis of financial condition and results of operations (``MD&A''), financial statements, disclosure controls and procedures, and corporate governance.\21\ Periodic reports also include quarterly reports on Form 10-Q,\22\ which require companies to make disclosure regarding their financial statements, MD&A, and updated risk factors.\23\ Likewise, foreign private issuers are required to make many of these same disclosures in their periodic reports on Form 20- F.\24\ Companies must provide timely and ongoing information in these periodic reports regarding material cybersecurity risks and incidents that trigger disclosure obligations. --------------------------------------------------------------------------- \18\ An issuer with a class of securities registered under Section 12 or subject to Section 15(d) of the Exchange Act is subject to the periodic and current reporting requirements of Section 13 and 15(d), respectively, of the Exchange Act. \19\ ``Congress recognized that the ongoing dissemination of accurate information by companies about themselves and their securities is essential to effective operation of the trading markets. The Exchange Act rules require public companies to make periodic disclosures at annual and quarterly intervals, with other important information reported on a more current basis. The Exchange Act specifically provides for current disclosure to maintain the currency and adequacy of information disclosed by companies.'' Proposed Rule: Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date, Release No. 33-8106, 3-4 (Jun. 17, 2002) [67 FR 42914 (Jun. 25, 2002)]. \20\ 17 CFR 249.310. \21\ See Part I, Items 1, 1A and 3 of Form 10-K; Part II, Items 7, 8 and 9A of Form 10-K; and Part III, Item 10 of Form 10-K [17 CFR 249.310]. \22\ 17 CFR 249.308a. \23\ See Part I, Items 1 and 2 of Form 10-Q; Part II, Item 1A of Form 10-Q [17 CFR 249.308a]. \24\ See Part I, Items 3.D, 4, 5 and 8 of Form 20-F; Part II, Items 15 and 16G of Form 20-F; Part III, Items 17 and 18 of Form 20- F [17 CFR 249.220f]. --------------------------------------------------------------------------- Securities Act and Exchange Act Obligations: Securities Act and Exchange Act registration statements must disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. Companies should consider the adequacy of their cybersecurity-related disclosure, among other things, in the context of Sections 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act.\25\ --------------------------------------------------------------------------- \25\ 15 U.S.C. 77k; 15 U.S.C. 77l; 15 U.S.C. 77q; 15 U.S.C 78j(b); 17 CFR 240.10b-5. --------------------------------------------------------------------------- Current Reports: In order to maintain the accuracy and completeness of effective shelf registration statements with respect to the costs and other consequences of material cybersecurity incidents,\26\ companies can provide current reports on Form 8-K \27\ or Form 6-K.\28\ Companies also frequently provide current reports on Form 8-K or Form 6-K to report the occurrence and consequences of cybersecurity incidents.\29\ The Commission encourages companies to continue to use Form 8-K or Form 6-K to disclose material information promptly, including disclosure pertaining to cybersecurity matters. This practice reduces the risk of selective disclosure, as well as the risk that trading in their securities on the basis of material non- public information may occur.\30\ --------------------------------------------------------------------------- \26\ See Item 11(a) of Form S-3 [17 CFR 239.13] and Item 5(a) of Form F-3 [17 CFR 239.33]. \27\ 17 CFR 249.308. \28\ 17 CFR 249.306. \29\ ``The registrant may, at its option, disclose under this Item 8.01 [of Form 8-K] any events, with respect to which information is not otherwise called for by this form, that the registrant deems of importance to security holders.'' 17 CFR 308. \30\ See Sections II.B.2 and II.B.3 below for further discussion of insider trading and Regulation FD. --------------------------------------------------------------------------- In addition to the information expressly required by Commission regulation, a company is required to disclose ``such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.'' \31\ The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.\32\ --------------------------------------------------------------------------- \31\ Rule 408 of the Securities Act [17 CFR 230.408]; Rule 12b- 20 of the Exchange Act [17 CFR 240.12b-20]; and Rule 14a-9 of the Exchange Act [17 CFR 240.14a-9]. \32\ This approach is consistent with the standard of materiality articulated by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976) (a fact is material ``if there is a substantial likelihood that a reasonable shareholder would consider it important'' in making an investment decision or if it ``would have been viewed by the reasonable investor as having significantly altered the `total mix' of information made available'' to the shareholder). --------------------------------------------------------------------------- In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential [[Page 8169]] materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company's operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.\33\ The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.\34\ This includes harm to a company's reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities. --------------------------------------------------------------------------- \33\ For example, the compromised information might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company's business, as well as the scope of the compromised information. \34\ As part of a materiality analysis, a company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity. Basic v. Levinson, 485 U.S. 224, 238 (1988) (citing SEC v. Texas Gulf Sulphur Co., 401 F. 2d 833, 849 (2d Cir. 1968)). Moreover, no ``single fact or occurrence'' is determinative as to materiality, which requires an inherently fact-specific inquiry. Basic, 485 U.S. at 236. --------------------------------------------------------------------------- This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts-- for example, by providing a ``roadmap'' for those who seek to penetrate a company's security protections. We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences. Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.\35\ --------------------------------------------------------------------------- \35\ See Sections 7 and 10 of the Securities Act; Sections 10(b), 13(a) and 15(d) of the Exchange Act; and Rule 10b-5 under the Exchange Act [15 U.S.C 78j(b); 15 U.S.C. 78m(a); 15. U.S.C. 78o(d); 17 CFR 240.10b-5]. --------------------------------------------------------------------------- Understanding that some material facts may be not available at the time of the initial disclosure, we recognize that a company may require time to discern the implications of a cybersecurity incident. We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation--which often can be lengthy--would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident. We remind companies that they may have a duty to correct prior disclosure that the company determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made \36\ (for example, if the company subsequently discovers contradictory information that existed at the time of the initial disclosure), or a duty to update disclosure that becomes materially inaccurate after it is made \37\ (for example, when the original statement is still being relied on by reasonable investors). Companies should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident. --------------------------------------------------------------------------- \36\ See Backman v. Polaroid Corp., 910 F.2d 10, 16-17 (1st Cir. 1990) (en banc) (finding that the duty to correct applies ``if a disclosure is in fact misleading when made, and the speaker thereafter learns of this.''). \37\ See id. at 17 (describing the duty to update as potentially applying ``if a prior disclosure `becomes materially misleading in light of subsequent events''' (quoting Greenfield v. Heublein, Inc., 742 F.2d 751, 758 (3d Cir. 1984))). But see Higginbotham v. Baxter Intern., Inc., 495 F.3d 753, 760 (7th Cir. 2007) (rejecting duty to update before next quarterly report); Gallagher v. Abbott Laboratories, 269 F.3d 806, 808-11 (7th Cir. 2001) (explaining that securities laws do not require continuous disclosure). --------------------------------------------------------------------------- We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we ``emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.'' \38\ Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors. --------------------------------------------------------------------------- \38\ See Business and Financial Disclosure Required by Regulation S-K, Release No. 33-10064 (Apr. 13, 2016) [81 FR 23915 (Apr. 22, 2016)]. See also Plain English Disclosure, Release No. 33- 7497 (Jan. 28, 1998) [63 FR 6370 (Feb. 6, 1998)]; and Updated Staff Legal Bulletin No. 7: Plain English Disclosure (Jun. 7, 1999) available at https://www.sec.gov/interps/legal/cfslb7a.htm. --------------------------------------------------------------------------- 2. Risk Factors Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the company's securities speculative or risky.\39\ Companies should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among such factors, including risks that arise in connection with acquisitions.\40\ --------------------------------------------------------------------------- \39\ 17 CFR 229.503(c); 17 CFR 249.220f. \40\ See Final Rule: Business Combination Transactions, Release No. 33-6578 (Apr. 23, 1985) [50 FR 18990 (May 6, 1985)]. --------------------------------------------------------------------------- It would be helpful for companies to consider the following issues, among others, in evaluating cybersecurity risk factor disclosure: The occurrence of prior cybersecurity incidents, including their severity and frequency; the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company's ability to prevent or mitigate certain cybersecurity risks; the aspects of the company's business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks; the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers; the potential for reputational harm; existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents. In meeting their disclosure obligations, companies may need to [[Page 8170]] disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context. For example, if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company's business and operations. Past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure. In certain circumstances, this type of contextual disclosure may be necessary to effectively communicate cybersecurity risks to investors. 3. MD&A of Financial Condition and Results of Operations Item 303 of Regulation S-K and Item 5 of Form 20-F require a company to discuss its financial condition, changes in financial condition, and results of operations. These items require a discussion of events, trends, or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition and such other information that the company believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.\41\ In this context, the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents, among other matters, could inform a company's analysis. In addition, companies may consider the array of costs associated with cybersecurity issues, including, but not limited to, loss of intellectual property, the immediate costs of the incident, as well as the costs associated with implementing preventative measures, maintaining insurance, responding to litigation and regulatory investigations, preparing for and complying with proposed or current legislation, engaging in remediation efforts, addressing harm to reputation, and the loss of competitive advantage that may result.\42\ Finally, the Commission expects companies to consider the impact of such incidents on each of their reportable segments.\43\ --------------------------------------------------------------------------- \41\ 17 CFR 229.303; 17 CFR 249.220f. \42\ A number of past Commission releases provide general interpretive guidance on these disclosure requirements. See, e.g., Commission Guidance Regarding Management's Discussion and Analysis of Financial Condition and Results of Operations, Release No. 33- 8350 (Dec. 19, 2003) [68 FR 75056 (Dec. 29, 2003)]; Commission Statement About Management's Discussion and Analysis of Financial Condition and Results of Operations, Release No. 33-8056 (Jan. 22, 2002) [67 FR 3746 (Jan. 25, 2002)]; Management's Discussion and Analysis of Financial Condition and Results of Operations; Certain Investment Company Disclosures, Release No. 33-6835 (May 18, 1989) [54 FR 22427 (May 24, 1989)]. \43\ 17 CFR 229.303(a). --------------------------------------------------------------------------- 4. Description of Business Item 101 of Regulation S-K and Item 4.B of Form 20-F require companies to discuss their products, services, relationships with customers and suppliers, and competitive conditions.\44\ If cybersecurity incidents or risks materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure. --------------------------------------------------------------------------- \44\ 17 CFR 229.101; 17 CFR 249.220f. --------------------------------------------------------------------------- 5. Legal Proceedings Item 103 of Regulation S-K requires companies to disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party.\45\ Companies should note that this requirement includes any such proceedings that relate to cybersecurity issues. For example, if a company experiences a cybersecurity incident involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought. --------------------------------------------------------------------------- \45\ 17 CFR 229.103. --------------------------------------------------------------------------- 6. Financial Statement Disclosures Cybersecurity incidents and the risks that result therefrom may affect a company's financial statements. For example, cybersecurity incidents may result in: Expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services; loss of revenue, providing customers with incentives or a loss of customer relationship assets value; claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs. The Commission expects that a company's financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.\46\ --------------------------------------------------------------------------- \46\ See Section 13(b)(2)(B) of the Exchange Act [15 U.S.C.78m(b)(2)(B)]. --------------------------------------------------------------------------- 7. Board Risk Oversight Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclose the extent of its board of directors' role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board's leadership structure.\47\ The Commission has previously said that ``disclosure about the board's involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.'' \48\ A company must include a description of how the board administers its risk oversight function.\49\ To the extent cybersecurity risks are material to a company's business, we believe this discussion should include the nature of the board's role in overseeing the management of that risk. --------------------------------------------------------------------------- \47\ 17 CFR 229.407(h); 17 CFR 240.14a-101--Schedule 14A. \48\ Final Rule: Proxy Disclosure Enhancements, Release No. 33- 9089 (Dec. 16, 2009) [74 FR 68334 (Dec. 23, 2009)], available at http://www.sec.gov/rules/final/2009/33-9089.pdf. \49\ See Item 407(h) of Regulation S-K [17 CFR 229.407(h)]. --------------------------------------------------------------------------- In addition, we believe disclosures regarding a company's cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area. [[Page 8171]] B. Policies and Procedures 1. Disclosure Controls and Procedures Cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.\50\ --------------------------------------------------------------------------- \50\ See Final Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports, Release No. 33-8124 (Aug. 28, 2002) [67 FR 57276 (Sept. 9, 2002)], available at https://www.sec.gov/rules/final/33-8124.htm (``We believe that, to assist principal executive and financial officers in the discharge of their responsibilities in making the required certifications, as well as to discharge their responsibilities in providing accurate and complete information to security holders, it is necessary for companies to ensure that their internal communications and other procedures operate so that important information flows to the appropriate collection and disclosure points in a timely manner.''); see also Section 10(b) of the Exchange Act and Rule 10b-5 thereunder [15 U.S.C. 78j(b); 17 CFR 240.10b-5]. --------------------------------------------------------------------------- Pursuant to Exchange Act Rules 13a-15 and 15d-15, companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness.\51\ These rules define ``disclosure controls and procedures'' as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) ``recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms,'' and (2) ``accumulated and communicated to the company's management . . . as appropriate to allow timely decisions regarding required disclosure.'' \52\ --------------------------------------------------------------------------- \51\ 17 CFR 240.13a-15; 17 CFR 240.15d-15. \52\ Id. --------------------------------------------------------------------------- A company's disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company's businesses.\53\ Information also must be evaluated in the context of the disclosure requirement of Exchange Act Rule 12b-20.\54\ When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company's business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. --------------------------------------------------------------------------- \53\ See Final Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports, Release No. 33-8124 (Aug. 28, 2002) [67 FR 57276 (Sept. 9, 2002)], available at https://www.sec.gov/rules/final/33-8124.htm (``We believe that the new rules will help to ensure that an issuer's systems grow and evolve with its business and are capable of producing Exchange Act reports that are timely, accurate and reliable.''). \54\ 17 CFR 240.12b-20. --------------------------------------------------------------------------- Exchange Act Rules 13a-14 and 15d-14 \55\ require a company's principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures,\56\ and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures.\57\ These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company's ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective. --------------------------------------------------------------------------- \55\ 17 CFR 240.13a-14; 17 CFR 240.15d-14. \56\ Section 302 of the Sarbanes-Oxley Act of 2002 required the Commission to adopt final rules under which the principal executive officer or officers and the principal financial officer or officers, or persons providing similar functions, of an issuer each must certify the information contained in the issuer's quarterly and annual reports. Public Law 107-204, 116 Stat. 745 (2002). \57\ 17 CFR 229.307; 17 CFR 249.220f. --------------------------------------------------------------------------- 2. Insider Trading Companies and their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.\58\ It is illegal to trade a security ``on the basis of material nonpublic information about that security or issuer, in breach of a duty of trust or confidence that is owed directly, indirectly, or derivatively, to the issuer of that security or the shareholders of that issuer, or to any other person who is the source of the material nonpublic information.'' \59\ As noted above, information about a company's cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company's securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.\60\ --------------------------------------------------------------------------- \58\ In addition to promoting full and fair disclosure, the antifraud provisions of the federal securities laws prohibit insider trading, which harms not only individual investors but also the very foundations of our markets by undermining investor confidence in the integrity of those markets. 17 CFR 243.100. Final Rule: Selective Disclosure and Insider Trading, Release No. 34-43154 (Aug. 15, 2000) [65 FR 51716 (Aug. 24, 2000)]. \59\ Rule 10b5-1(a) of the Exchange Act [17 CFR 240.10b-5-1(a)]. \60\ This would not preclude directors, officers, and other corporate insiders from relying on Exchange Act Rule 10b5-1 if all conditions of that rule are met. --------------------------------------------------------------------------- Beyond the antifraud provisions of the federal securities laws, companies and their directors, officers, and other corporate insiders must comply with all other applicable insider trading related rules. Many exchanges require listed companies to adopt codes of conduct and policies that promote compliance with applicable laws, rules, and regulations, including those prohibiting insider trading.\61\ We encourage companies to consider how their codes of ethics \62\ and insider trading policies take into account and prevent trading on [[Page 8172]] the basis of material nonpublic information related to cybersecurity risks and incidents. The Commission believes that it is important to have well designed policies and procedures to prevent trading on the basis of all types of material non-public information, including information relating to cybersecurity risks and incidents. --------------------------------------------------------------------------- \61\ See e.g., NYSE Listed Company Manual Section 303A.10, which states in relevant part that every NYSE ``listed company should proactively promote compliance with laws, rules and regulations, including insider trading laws. Insider trading is both unethical and illegal, and should be dealt with decisively.'' See also NASDAQ Listing Rule 5610 and Section 406(c) of the Sarbanes-Oxley Act of 2002. \62\ Item 406 of Regulation S-K [17 CFR 229.406]. --------------------------------------------------------------------------- In addition, while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities. Company insider trading policies and procedures that include prophylactic measures can protect against directors, officers, and other corporate insiders trading on the basis of material nonpublic information before public disclosure of the cybersecurity incident. As noted above, we believe that companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure. 3. Regulation FD and Selective Disclosure Companies also may have disclosure obligations under Regulation FD in connection with cybersecurity matters. Under Regulation FD, ``when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.'' \63\ The Commission adopted Regulation FD owing to concerns about companies making selective disclosure of material nonpublic information to certain persons before making full disclosure of that same information to the general public.\64\ --------------------------------------------------------------------------- \63\ 17 CFR 243.100. Final Rule: Selective Disclosure and Insider Trading, Release No. 34-43154 (Aug. 15, 2000) [65 FR 51716 (Aug. 24, 2000)]. \64\ Id. --------------------------------------------------------------------------- In cases of selective disclosure of material nonpublic information related to cybersecurity, companies should ensure compliance with Regulation FD. Companies and persons acting on their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to Regulation FD enumerated persons \65\ before disclosing that same information to the public.\66\ We expect companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD required public disclosure is made simultaneously (in the case of an intentional disclosure as defined in the rule) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with the requirements of that regulation.\67\ --------------------------------------------------------------------------- \65\ Regulation FD applies generally to selective disclosures made to persons outside the issuer who are (1) a broker or dealer or persons associated with a broker or dealer; (2) an investment advisor or persons associated with an investment advisor; (3) an investment company or persons affiliated with an investment company; or (4) a holder of the issuer's securities under circumstances in which it is reasonably foreseeable that the person will trade in the issuer's securities on the basis of the information. 17 CFR 243.100(b)(1). \66\ Final Rule: Selective Disclosure and Insider Trading, Release No. 34-43154 (Aug. 15, 2000) [65 FR 51716 (Aug. 24, 2000)]. \67\ ``Under the regulation, the required public disclosure may be made by filing or furnishing a Form 8-K, or by another method or combination of methods that is reasonably designed to effect broad, non-exclusionary distribution of the information to the public.'' Id. at 3. --------------------------------------------------------------------------- By the Commission. Dated: February 21, 2018. Brent J. Fields, Secretary. [FR Doc. 2018-03858 Filed 2-23-18; 8:45 am] BILLING CODE 8011-01-P
![8166 Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations
Order 1050.1F, ‘‘Environmental SECURITIES AND EXCHANGE companies regulated by the
Impacts: Policies and Procedures,’’ COMMISSION Commission.
paragraph 5–6.5a. This airspace action As companies’ exposure to and
is not expected to cause any potentially 17 CFR Parts 229 and 249 reliance on networked systems and the
significant environmental impacts, and internet have increased, the attendant
no extraordinary circumstances exist [Release Nos. 33–10459; 34–82746] risks and frequency of cybersecurity
that warrant preparation of an incidents also have increased.2 Today,
environmental assessment. Commission Statement and Guidance the importance of data management and
on Public Company Cybersecurity technology to business is analogous to
Lists of Subjects in 14 CFR Part 71 Disclosures the importance of electricity and other
Airspace, Incorporation by reference, forms of power in the past century.
AGENCY: Securities and Exchange
Navigation (air). Cybersecurity incidents 3 can result
Commission. from unintentional events or deliberate
Adoption of the Amendment ACTION: Interpretation. attacks by insiders or third parties,
In consideration of the foregoing, the including cybercriminals, competitors,
SUMMARY: The Securities and Exchange
Federal Aviation Administration nation-states, and ‘‘hacktivists.’’ 4
Commission (the ‘‘Commission’’) is
amends 14 CFR part 71 as follows: Companies face an evolving landscape
publishing interpretive guidance to
of cybersecurity threats in which
assist public companies in preparing
PART 71—DESIGNATION OF CLASS A, hackers use a complex array of means to
disclosures about cybersecurity risks perpetrate cyber-attacks, including the
B, C, D, AND E AIRSPACE AREAS; AIR
and incidents. use of stolen access credentials,
TRAFFIC SERVICE ROUTES; AND
REPORTING POINTS DATES: Applicable February 26, 2018. malware, ransomware, phishing,
FOR FURTHER INFORMATION CONTACT: structured query language injection
■ 1. The authority citation for part 71 Questions about specific filings should attacks, and distributed denial-of-
continues to read as follows: be directed to staff members responsible service attacks, among other means. The
Authority: 49 U.S.C. 106(f), 106(g); 40103, for reviewing the documents the objectives of cyber-attacks vary widely
40113, 40120, E.O. 10854, 24 FR 9565, 3 CFR, company files with the Commission. For and may include the theft or destruction
1959–1963 Comp., p. 389. general questions about this release, of financial assets, intellectual property,
contact the Office of the Chief Counsel or other sensitive information belonging
§ 71.1 [Amended] at (202) 551–3500 in the Division of to companies, their customers, or their
■ 2. The incorporation by reference in Corporation Finance, U.S. Securities business partners. Cyber-attacks may
14 CFR 71.1 of FAA Order 7400.11B, and Exchange Commission, 100 F Street also be directed at disrupting the
Airspace Designations and Reporting NE, Washington, DC 20549. operations of public companies or their
Points, dated August 3, 2017, effective SUPPLEMENTARY INFORMATION: business partners. This includes
September 15, 2017, is amended as targeting companies that operate in
I. Introduction industries responsible for critical
follows:
A. Cybersecurity infrastructure.
Paragraph 6002 Class E Surface Area Companies that fall victim to
Airspace. Cybersecurity risks pose grave threats successful cyber-attacks or experience
* * * * * to investors, our capital markets, and
our country.1 Whether it is the 2 See World Economic Forum, Global Risks
ASO NC E2 Greenville, NC [Amended] companies in which investors invest, Report 2017, 12th Ed. (Jan. 2017), available at
Pitt-Greenville Airport, NC their accounts with financial services https://www.weforum.org/reports/the-global-risks-
report-2017 (concluding that ‘‘greater
(Lat. 35°38′09″ N, long. 77°23′03″ W) firms, the markets through which they interdependence among different infrastructure
Within a 4.4-mile radius of Pitt-Greenville trade, or the infrastructure they count networks is increasing the scope for systemic
Airport. This Class E airspace area is effective on daily, the investing public and the failures—whether from cyber-attacks, software
during the specific dates and times glitches, natural disasters or other causes—to
U.S. economy depend on the security cascade across networks and affect society in
established in advance by a Notice to and reliability of information and unanticipated ways.’’). See also PwC, ‘‘Turnaround
Airmen. The effective date and time will communications technology, systems, and Transformation in Cybersecurity: Key Findings
thereafter be continuously published in the from the Global State of Information Security
Chart Supplement.
and networks. Companies today rely on
Survey 2016’’ (Oct. 2015), available at https://
digital technology to conduct their www.pwccn.com/en/retail-and-consumer/rcs-info-
Paragraph 6005 Class E Airspace Areas business operations and engage with security-2016.pdf. (finding that in 2015 there was a
Extending Upward From 700 Feet or More their customers, business partners, and reported 38% increase in detected information
Above the Surface of the Earth. other constituencies. In a digitally security incidents from 2014).
3 A ‘‘cybersecurity incident’’ is ‘‘[a]n occurrence
* * * * * connected world, cybersecurity presents that actually or potentially results in adverse
ASO NC E5 Greenville, NC [Amended] ongoing risks and threats to our capital consequences to . . . an information system or the
Pitt-Greenville Airport, NC
markets and to companies operating in information that the system processes, stores, or
all industries, including public transmits and that may require a response action to
(Lat. 35°38′09″ N, long. 77°23′03″ W) mitigate the consequences.’’ U.S. Computer
That airspace extending upward from 700 Emergency Readiness Team website, available at
1 The U.S. Computer Emergency Readiness Team https://niccs.us-cert.gov/glossary#I.
feet above the surface within a 6.4-mile
radius of Pitt-Greenville Airport. defines cybersecurity as ‘‘[t]he activity or process, 4 One study using a sample of 419 companies in
ability or capability, or state whereby information 13 countries and regions noted that 47 percent of
jstallworth on DSKBBY8HB2PROD with RULES
Issued in College Park, Georgia, on and communications systems and the information data breach incidents in 2016 involved a malicious
February 14, 2018. contained therein are protected from and/or or criminal attack, 25 percent were due to negligent
defended against damage, unauthorized use or employees or contractors (human factor) and 28
Ryan W. Almasy, modification, or exploitation.’’ U.S. Computer percent involved system glitches, including both IT
Manager, Operations Support Group, Eastern Emergency Readiness Team website, available at and business process failures. See Ponemon
Service Center, Air Traffic Organization. https://niccs.us-cert.gov/glossary#C (Adapted from: Institute and IBM Security, 2017 Cost of Data
CNSSI 4009, NIST SP 800–53 Rev 4, NIPP, DHS Breach Study: Global Overview (Jun. 2017),
[FR Doc. 2018–03657 Filed 2–23–18; 8:45 am] National Preparedness Goal; White House available at https://www.ponemon.org/library/2017-
BILLING CODE 4910–13–P Cyberspace Policy Review, May 2009). cost-of-data-breach-study-united-states.
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/1.svg)
![Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations 8167
other cybersecurity incidents may incur well as a protocol to determine the additional cybersecurity disclosure,
substantial costs 5 and suffer other potential materiality of such risks and typically in the form of risk factors.12
negative consequences, which may incidents.8 In addition, the Commission
C. Purpose of Release
include: believes that the development of
• Remediation costs, such as liability effective disclosure controls and In light of the increasing significance
for stolen assets or information, repairs procedures is best achieved when a of cybersecurity incidents, the
of system damage, and incentives to company’s directors, officers, and other Commission believes it is necessary to
customers or business partners in an persons responsible for developing and provide further Commission guidance.
effort to maintain relationships after an overseeing such controls and This interpretive release outlines the
attack; 6 procedures are informed about the Commission’s views with respect to
• increased cybersecurity protection cybersecurity risks and incidents that cybersecurity disclosure requirements
costs, which may include the costs of the company has faced or is likely to under the federal securities laws as they
making organizational changes, face. apply to public operating companies.13
deploying additional personnel and While the Commission continues to
Additionally, directors, officers, and
protection technologies, training consider other means of promoting
other corporate insiders must not trade
employees, and engaging third party appropriate disclosure of cyber
a public company’s securities while in
experts and consultants; incidents, we are reinforcing and
• lost revenues resulting from the possession of material nonpublic
information, which may include expanding upon the staff’s 2011
unauthorized use of proprietary guidance. In addition, we address two
information or the failure to retain or knowledge regarding a significant
cybersecurity incident experienced by topics not developed in the staff’s 2011
attract customers following an attack; guidance, namely the importance of
• litigation and legal risks, including the company. Public companies should
have policies and procedures in place to cybersecurity policies and procedures
regulatory actions by state and federal and the application of insider trading
governmental authorities and non-U.S. (1) guard against directors, officers, and
other corporate insiders taking prohibitions in the cybersecurity
authorities; 7 context.
• increased insurance premiums; advantage of the period between the
First, this release stresses the
• reputational damage that adversely company’s discovery of a cybersecurity
importance of maintaining
affects customer or investor confidence; incident and public disclosure of the
comprehensive policies and procedures
and incident to trade on material nonpublic
related to cybersecurity risks and
• damage to the company’s information about the incident, and (2)
incidents. Companies are required to
competitiveness, stock price, and long- help ensure that the company makes
establish and maintain appropriate and
term shareholder value. timely disclosure of any related material
Given the frequency, magnitude and effective disclosure controls and
nonpublic information.9 In addition, we
cost of cybersecurity incidents, the procedures that enable them to make
believe that companies are well served
Commission believes that it is critical accurate and timely disclosures of
by considering the ramifications of
that public companies take all required material events, including those related
directors, officers, and other corporate
actions to inform investors about to cybersecurity. Such robust disclosure
insiders trading in advance of
material cybersecurity risks and disclosures regarding cyber incidents 12 For example, Willis North America released a
incidents in a timely fashion, including that prove to be material. We recognize 2013 report that found that approximately 88% of
those companies that are subject to that many companies have adopted the public Fortune 500 companies and about 78%
material cybersecurity risks but may not preventative measures to address the of the Fortune 501–1000 companies included risk
yet have been the target of a cyber- factor disclosure regarding cybersecurity in their
appearance of improper trading and we annual reports filed in 2012. See Willis Fortune
attack. Crucial to a public company’s encourage companies to consider such 1000 Cyber Disclosure Report (Aug. 2013), available
ability to make any required disclosure preventative measures in the context of at http://blog.willis.com/wp-content/uploads/2013/
of cybersecurity risks and incidents in a cyber event. 08/Willis-Fortune-1000-Cyber-Report_09–13.pdf. In
the appropriate timeframe are disclosure 2015, over 88% of Russell 3000 companies
controls and procedures that provide an B. CF Disclosure Guidance: Topic No. 2 disclosed cybersecurity as a risk. See Audit
Analytics, ‘‘Cybersecurity Disclosure in Risk
appropriate method of discerning the In October 2011, the Division of Factors,’’ (Jan. 14, 2016), available at http://
impact that such matters may have on Corporation Finance (the ‘‘Division’’) www.auditanalytics.com/blog/cybersecurity-
the company and its business, financial disclosures-in-risk-factors/.
issued guidance that provided the 13 This release does not address the specific
condition, and results of operations, as Division’s views regarding disclosure implications of cybersecurity to other regulated
5 The average organizational cost of a data breach
obligations relating to cybersecurity entities under the federal securities laws, such as
risks and incidents.10 The guidance registered investment companies, investment
in the United States in 2016 was $7.35 million advisers, brokers, dealers, exchanges, and self-
based on the sample in the study. Id. However, the explains that, although no existing regulatory organizations. For example, in 2014 the
total costs a company may incur in connection with disclosure requirement explicitly refers Commission adopted Regulation Systems
a particular cyber-attack or incident could be much to cybersecurity risks and cyber Compliance and Integrity, applicable to certain self-
higher. regulatory organizations, to strengthen the
6 A company’s costs may also include payments
incidents, companies nonetheless may
technology infrastructure of the U.S. securities
to perpetrators of ransomware attacks in order to be obligated to disclose such risks and markets. Final Rule: Regulation Systems
attempt to restore operations or protect customer incidents.11 After the issuance of the Compliance and Integrity, Release No. 34–73639
data or other proprietary information. But see guidance, many companies included (Nov. 19, 2014) [79 FR. 72252 (Dec. 5, 2014)],
Federal Bureau of Investigation, ‘‘How To Protect available at https://www.sec.gov/rules/final/2014/
your Network from Ransomware,’’ Ransomware 34–73639.pdf. For additional cybersecurity
8 See Section II.B.1 below for further discussion
jstallworth on DSKBBY8HB2PROD with RULES
Prevention and Response for CISOs, available at regulations and resources, see the Commission’s
https://www.justice.gov/criminal-ccips/file/872771/ of disclosure controls and procedures. website page devoted to cybersecurity issues,
9 See Section II.B.2 below for further discussion
download. available at https://www.sec.gov/spotlight/
7 See, e.g., New York State Department of of insider trading. cybersecurity; see also Cybersecurity Guidance; IM
10 See CF Disclosure Guidance: Topic No. 2—
Financial Services, 23 NYCRR 500, Cybersecurity Guidance Update (April 2015), available at https://
Requirements for Financial Services Companies; Cybersecurity (Oct. 13, 2011), available at https:// www.sec.gov/investment/im-guidance-2015–02.pdf
European Union General Data Protection www.sec.gov/divisions/corpfin/guidance/ (staff guidance on cybersecurity measures for
Regulation, Council Regulation 2016/679, 2016 O.J. cfguidance-topic2.htm. registered investment companies and investment
(L 119) 1. 11 Id. advisers).
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/2.svg)
![8168 Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations
controls and procedures assist requirements impose an obligation to Securities Act, as well as Section 10(b)
companies in satisfying their disclosure disclose such risks and incidents and Rule 10b–5 of the Exchange Act.25
obligations under the federal securities depending on a company’s particular • Current Reports: In order to
laws. circumstances. For example: maintain the accuracy and completeness
Second, we also remind companies of effective shelf registration statements
• Periodic Reports: Companies are
and their directors, officers, and other with respect to the costs and other
required to file periodic reports 18 to
corporate insiders of the applicable consequences of material cybersecurity
disclose specified information on a
insider trading prohibitions under the incidents,26 companies can provide
regular and ongoing basis.19 These
general antifraud provisions of the current reports on Form 8–K 27 or Form
periodic reports include annual reports
federal securities laws and also of their 6–K.28 Companies also frequently
on Form 10–K,20 which require provide current reports on Form 8–K or
obligation to refrain from making
selective disclosures of material companies to make disclosure regarding Form 6–K to report the occurrence and
nonpublic information about their business and operations, risk consequences of cybersecurity
cybersecurity risks or incidents.14 factors, legal proceedings, incidents.29 The Commission
The Commission, and the staff management’s discussion and analysis encourages companies to continue to
through its filing review process, of financial condition and results of use Form 8–K or Form 6–K to disclose
continues to monitor cybersecurity operations (‘‘MD&A’’), financial material information promptly,
disclosures carefully. statements, disclosure controls and including disclosure pertaining to
procedures, and corporate governance.21 cybersecurity matters. This practice
II. Commission Guidance Periodic reports also include quarterly reduces the risk of selective disclosure,
A. Overview of Rules Requiring reports on Form 10–Q,22 which require as well as the risk that trading in their
Disclosure of Cybersecurity Issues companies to make disclosure regarding securities on the basis of material non-
their financial statements, MD&A, and public information may occur.30
1. Disclosure Obligations Generally; updated risk factors.23 Likewise, foreign In addition to the information
Materiality private issuers are required to make expressly required by Commission
Companies should consider the many of these same disclosures in their regulation, a company is required to
materiality of cybersecurity risks and periodic reports on Form 20–F.24 disclose ‘‘such further material
incidents when preparing the disclosure Companies must provide timely and information, if any, as may be necessary
that is required in registration ongoing information in these periodic to make the required statements, in light
statements under the Securities Act of reports regarding material cybersecurity of the circumstances under which they
1933 (‘‘Securities Act’’) and the risks and incidents that trigger are made, not misleading.’’ 31 The
Securities Exchange Act of 1934 disclosure obligations. Commission considers omitted
(‘‘Exchange Act’’), and periodic and information to be material if there is a
• Securities Act and Exchange Act
current reports under the Exchange substantial likelihood that a reasonable
Obligations: Securities Act and
Act.15 When a company is required to investor would consider the information
Exchange Act registration statements
file a disclosure document with the important in making an investment
must disclose all material facts required
Commission, the requisite form decision or that disclosure of the
to be stated therein or necessary to make
generally refers to the disclosure omitted information would have been
the statements therein not misleading.
requirements of Regulation S–K 16 and viewed by the reasonable investor as
Companies should consider the
Regulation S–X.17 Although these having significantly altered the total mix
adequacy of their cybersecurity-related
disclosure requirements do not of information available.32
disclosure, among other things, in the
specifically refer to cybersecurity risks In determining their disclosure
context of Sections 11, 12, and 17 of the
and incidents, a number of the obligations regarding cybersecurity risks
and incidents, companies generally
18 An issuer with a class of securities registered
14 See Final Rule: Selective Disclosure and Insider
under Section 12 or subject to Section 15(d) of the
weigh, among other things, the potential
Trading, Release No. 33–7881 (Aug. 15, 2000) [65
FR 51715 (Aug. 24, 2000)], available at https:// Exchange Act is subject to the periodic and current
25 15 U.S.C. 77k; 15 U.S.C. 77l; 15 U.S.C. 77q; 15
www.sec.gov/rules/final/3-7881.htm. reporting requirements of Section 13 and 15(d),
15 Listed companies also should consider any respectively, of the Exchange Act. U.S.C 78j(b); 17 CFR 240.10b–5.
19 ‘‘Congress recognized that the ongoing 26 See Item 11(a) of Form S–3 [17 CFR 239.13] and
obligations that may be imposed by exchange listing
dissemination of accurate information by Item 5(a) of Form F–3 [17 CFR 239.33].
requirements. For example, the NYSE requires
listed companies to ‘‘release quickly to the public companies about themselves and their securities is 27 17 CFR 249.308.
any news or information which might reasonably be essential to effective operation of the trading 28 17 CFR 249.306.
expected to materially affect the market for its markets. The Exchange Act rules require public 29 ‘‘The registrant may, at its option, disclose
securities.’’ See NYSE Listed Company Manual companies to make periodic disclosures at annual under this Item 8.01 [of Form 8–K] any events, with
Rule 202.05—Timely Disclosure of Material News and quarterly intervals, with other important respect to which information is not otherwise called
Developments. In addition, in 2015, the NYSE, in information reported on a more current basis. The for by this form, that the registrant deems of
partnership with Palo Alto Networks, published a Exchange Act specifically provides for current importance to security holders.’’ 17 CFR 308.
summary of information about legal and regulatory disclosure to maintain the currency and adequacy 30 See Sections II.B.2 and II.B.3 below for further
aspects of cybersecurity governance for directors of information disclosed by companies.’’ Proposed discussion of insider trading and Regulation FD.
and officers of public companies. See Navigating Rule: Additional Form 8–K Disclosure 31 Rule 408 of the Securities Act [17 CFR
the Digital Age: The Definitive Cybersecurity Guide Requirements and Acceleration of Filing Date,
230.408]; Rule 12b–20 of the Exchange Act [17 CFR
for Directors and Officers. Chicago: Caxton Business Release No. 33–8106, 3–4 (Jun. 17, 2002) [67 FR
240.12b–20]; and Rule 14a–9 of the Exchange Act
& Legal, Inc., 2015, available at https:// 42914 (Jun. 25, 2002)].
20 17 CFR 249.310.
[17 CFR 240.14a–9].
www.securityroundtable.org/wp-content/uploads/ 32 This approach is consistent with the standard
21 See Part I, Items 1, 1A and 3 of Form 10–K; Part
2015/09/Cybersecurity-9780996498203-no_
jstallworth on DSKBBY8HB2PROD with RULES
of materiality articulated by the U.S. Supreme Court
marks.pdf. Similarly, Nasdaq requires listed II, Items 7, 8 and 9A of Form 10–K; and Part III, in TSC Industries v. Northway, 426 U.S. 438, 449
companies to ‘‘make prompt disclosure to the Item 10 of Form 10–K [17 CFR 249.310]. (1976) (a fact is material ‘‘if there is a substantial
public of any material information that would 22 17 CFR 249.308a.
likelihood that a reasonable shareholder would
reasonably be expected to affect the value of its 23 See Part I, Items 1 and 2 of Form 10–Q; Part
consider it important’’ in making an investment
securities or influence investors’ decisions.’’ See II, Item 1A of Form 10–Q [17 CFR 249.308a]. decision or if it ‘‘would have been viewed by the
Nasdaq Listing Rule 5250(b)(1). 24 See Part I, Items 3.D, 4, 5 and 8 of Form 20– reasonable investor as having significantly altered
16 17 CFR part 229.
F; Part II, Items 15 and 16G of Form 20–F; Part III, the ‘total mix’ of information made available’’ to the
17 17 CFR part 210. Items 17 and 18 of Form 20–F [17 CFR 249.220f]. shareholder).
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/3.svg)
![Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations 8169
materiality of any identified risk and, in have been appropriately informed about companies.’’ 38 Companies should avoid
the case of incidents, the importance of the incident or risk.35 generic cybersecurity-related disclosure
any compromised information and of Understanding that some material and provide specific information that is
the impact of the incident on the facts may be not available at the time of useful to investors.
company’s operations. The materiality the initial disclosure, we recognize that 2. Risk Factors
of cybersecurity risks or incidents a company may require time to discern
depends upon their nature, extent, and Item 503(c) of Regulation S–K and
the implications of a cybersecurity
potential magnitude, particularly as Item 3.D of Form 20–F require
incident. We also recognize that it may
companies to disclose the most
they relate to any compromised be necessary to cooperate with law
significant factors that make
information or the business and scope of enforcement and that ongoing
investments in the company’s securities
company operations.33 The materiality investigation of a cybersecurity incident
speculative or risky.39 Companies
of cybersecurity risks and incidents also may affect the scope of disclosure
should disclose the risks associated
depends on the range of harm that such regarding the incident. However, an
with cybersecurity and cybersecurity
incidents could cause.34 This includes ongoing internal or external
incidents if these risks are among such
harm to a company’s reputation, investigation—which often can be
factors, including risks that arise in
financial performance, and customer lengthy—would not on its own provide
connection with acquisitions.40
and vendor relationships, as well as the a basis for avoiding disclosures of a
It would be helpful for companies to
possibility of litigation or regulatory material cybersecurity incident.
consider the following issues, among
investigations or actions, including We remind companies that they may others, in evaluating cybersecurity risk
regulatory actions by state and federal have a duty to correct prior disclosure factor disclosure:
governmental authorities and non-U.S. that the company determines was • The occurrence of prior
authorities. untrue (or omitted a material fact cybersecurity incidents, including their
necessary to make the disclosure not severity and frequency;
This guidance is not intended to
misleading) at the time it was made 36 • the probability of the occurrence
suggest that a company should make (for example, if the company and potential magnitude of
detailed disclosures that could subsequently discovers contradictory cybersecurity incidents;
compromise its cybersecurity efforts— information that existed at the time of • the adequacy of preventative
for example, by providing a ‘‘roadmap’’ the initial disclosure), or a duty to actions taken to reduce cybersecurity
for those who seek to penetrate a update disclosure that becomes risks and the associated costs,
company’s security protections. We do materially inaccurate after it is made 37 including, if appropriate, discussing the
not expect companies to publicly (for example, when the original limits of the company’s ability to
disclose specific, technical information statement is still being relied on by prevent or mitigate certain cybersecurity
about their cybersecurity systems, the reasonable investors). Companies risks;
related networks and devices, or should consider whether they need to • the aspects of the company’s
potential system vulnerabilities in such revisit or refresh previous disclosure, business and operations that give rise to
detail as would make such systems, including during the process of material cybersecurity risks and the
networks, and devices more susceptible investigating a cybersecurity incident. potential costs and consequences of
to a cybersecurity incident. We expect companies to provide such risks, including industry-specific
Nevertheless, we expect companies to disclosure that is tailored to their risks and third party supplier and
disclose cybersecurity risks and particular cybersecurity risks and service provider risks;
incidents that are material to investors, incidents. As the Commission has • the costs associated with
including the concomitant financial, previously stated, we ‘‘emphasize a maintaining cybersecurity protections,
legal, or reputational consequences. company-by-company approach [to including, if applicable, insurance
Where a company has become aware of disclosure] that allows relevant and coverage relating to cybersecurity
a cybersecurity incident or risk that material information to be disseminated incidents or payments to service
would be material to its investors, we to investors without boilerplate providers;
would expect it to make appropriate • the potential for reputational harm;
language or static requirements while
• existing or pending laws and
disclosure timely and sufficiently prior preserving completeness and
regulations that may affect the
to the offer and sale of securities and to comparability of information across
requirements to which companies are
take steps to prevent directors and
subject relating to cybersecurity and the
officers (and other corporate insiders 35 See Sections 7 and 10 of the Securities Act;
associated costs to companies; and
who were aware of these matters) from Sections 10(b), 13(a) and 15(d) of the Exchange Act;
and Rule 10b–5 under the Exchange Act [15 U.S.C • litigation, regulatory investigation,
trading its securities until investors 78j(b); 15 U.S.C. 78m(a); 15. U.S.C. 78o(d); 17 CFR and remediation costs associated with
240.10b–5]. cybersecurity incidents.
33 For example, the compromised information 36 See Backman v. Polaroid Corp., 910 F.2d 10,
In meeting their disclosure
might include personally identifiable information, 16–17 (1st Cir. 1990) (en banc) (finding that the
trade secrets or other confidential business duty to correct applies ‘‘if a disclosure is in fact
obligations, companies may need to
information, the materiality of which may depend misleading when made, and the speaker thereafter
38 See Business and Financial Disclosure
on the nature of the company’s business, as well as learns of this.’’).
the scope of the compromised information. 37 See id. at 17 (describing the duty to update as Required by Regulation S–K, Release No. 33–10064
34 As part of a materiality analysis, a company potentially applying ‘‘if a prior disclosure ‘becomes (Apr. 13, 2016) [81 FR 23915 (Apr. 22, 2016)]. See
also Plain English Disclosure, Release No. 33–7497
jstallworth on DSKBBY8HB2PROD with RULES
should consider the indicated probability that an materially misleading in light of subsequent
event will occur and the anticipated magnitude of events’’’ (quoting Greenfield v. Heublein, Inc., 742 (Jan. 28, 1998) [63 FR 6370 (Feb. 6, 1998)]; and
the event in light of the totality of company activity. F.2d 751, 758 (3d Cir. 1984))). But see Updated Staff Legal Bulletin No. 7: Plain English
Basic v. Levinson, 485 U.S. 224, 238 (1988) (citing Higginbotham v. Baxter Intern., Inc., 495 F.3d 753, Disclosure (Jun. 7, 1999) available at https://
SEC v. Texas Gulf Sulphur Co., 401 F. 2d 833, 849 760 (7th Cir. 2007) (rejecting duty to update before www.sec.gov/interps/legal/cfslb7a.htm.
39 17 CFR 229.503(c); 17 CFR 249.220f.
(2d Cir. 1968)). Moreover, no ‘‘single fact or next quarterly report); Gallagher v. Abbott
occurrence’’ is determinative as to materiality, Laboratories, 269 F.3d 806, 808–11 (7th Cir. 2001) 40 See Final Rule: Business Combination
which requires an inherently fact-specific inquiry. (explaining that securities laws do not require Transactions, Release No. 33–6578 (Apr. 23, 1985)
Basic, 485 U.S. at 236. continuous disclosure). [50 FR 18990 (May 6, 1985)].
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/4.svg)
![8170 Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations
disclose previous or ongoing that may result.42 Finally, the • claims related to warranties, breach
cybersecurity incidents or other past Commission expects companies to of contract, product recall/replacement,
events in order to place discussions of consider the impact of such incidents indemnification of counterparties, and
these risks in the appropriate context. on each of their reportable segments.43 insurance premium increases; and
For example, if a company previously
4. Description of Business • diminished future cash flows,
experienced a material cybersecurity
impairment of intellectual, intangible or
incident involving denial-of-service, it Item 101 of Regulation S–K and Item
likely would not be sufficient for the 4.B of Form 20–F require companies to other assets; recognition of liabilities; or
company to disclose that there is a risk discuss their products, services, increased financing costs.
that a denial-of-service incident may relationships with customers and The Commission expects that a
occur. Instead, the company may need suppliers, and competitive conditions.44 company’s financial reporting and
to discuss the occurrence of that If cybersecurity incidents or risks control systems would be designed to
cybersecurity incident and its materially affect a company’s products, provide reasonable assurance that
consequences as part of a broader services, relationships with customers information about the range and
discussion of the types of potential or suppliers, or competitive conditions, magnitude of the financial impacts of a
cybersecurity incidents that pose the company must provide appropriate cybersecurity incident would be
particular risks to the company’s disclosure. incorporated into its financial
business and operations. Past incidents statements on a timely basis as the
involving suppliers, customers, 5. Legal Proceedings
information becomes available.46
competitors, and others may be relevant Item 103 of Regulation S–K requires
when crafting risk factor disclosure. In companies to disclose information 7. Board Risk Oversight
certain circumstances, this type of relating to material pending legal
contextual disclosure may be necessary proceedings to which they or their Item 407(h) of Regulation S–K and
to effectively communicate subsidiaries are a party.45 Companies Item 7 of Schedule 14A require a
cybersecurity risks to investors. should note that this requirement company to disclose the extent of its
includes any such proceedings that board of directors’ role in the risk
3. MD&A of Financial Condition and
relate to cybersecurity issues. For oversight of the company, such as how
Results of Operations
example, if a company experiences a the board administers its oversight
Item 303 of Regulation S–K and Item cybersecurity incident involving the function and the effect this has on the
5 of Form 20–F require a company to theft of customer information and the board’s leadership structure.47 The
discuss its financial condition, changes incident results in material litigation by Commission has previously said that
in financial condition, and results of customers against the company, the ‘‘disclosure about the board’s
operations. These items require a company should describe the litigation, involvement in the oversight of the risk
discussion of events, trends, or including the name of the court in management process should provide
uncertainties that are reasonably likely which the proceedings are pending, the important information to investors
to have a material effect on its results of date the proceedings are instituted, the
operations, liquidity, or financial about how a company perceives the role
principal parties thereto, a description of its board and the relationship
condition, or that would cause reported
of the factual basis alleged to underlie between the board and senior
financial information not to be
the litigation, and the relief sought. management in managing the material
necessarily indicative of future
operating results or financial condition 6. Financial Statement Disclosures risks facing the company.’’ 48 A
and such other information that the company must include a description of
Cybersecurity incidents and the risks how the board administers its risk
company believes to be necessary to an
that result therefrom may affect a
understanding of its financial condition, oversight function.49 To the extent
company’s financial statements. For
changes in financial condition, and cybersecurity risks are material to a
example, cybersecurity incidents may
results of operations.41 In this context, company’s business, we believe this
result in:
the cost of ongoing cybersecurity efforts discussion should include the nature of
(including enhancements to existing • Expenses related to investigation,
breach notification, remediation and the board’s role in overseeing the
efforts), the costs and other management of that risk.
consequences of cybersecurity litigation, including the costs of legal
and other professional services; In addition, we believe disclosures
incidents, and the risks of potential
cybersecurity incidents, among other • loss of revenue, providing regarding a company’s cybersecurity
matters, could inform a company’s customers with incentives or a loss of risk management program and how the
analysis. In addition, companies may customer relationship assets value; board of directors engages with
consider the array of costs associated management on cybersecurity issues
with cybersecurity issues, including, but 42 A number of past Commission releases provide allow investors to assess how a board of
general interpretive guidance on these disclosure directors is discharging its risk oversight
not limited to, loss of intellectual requirements. See, e.g., Commission Guidance
property, the immediate costs of the Regarding Management’s Discussion and Analysis responsibility in this increasingly
incident, as well as the costs associated of Financial Condition and Results of Operations, important area.
with implementing preventative Release No. 33–8350 (Dec. 19, 2003) [68 FR 75056
(Dec. 29, 2003)]; Commission Statement About
measures, maintaining insurance, Management’s Discussion and Analysis of Financial
46 See Section 13(b)(2)(B) of the Exchange Act [15
responding to litigation and regulatory Condition and Results of Operations, Release No.
U.S.C.78m(b)(2)(B)].
jstallworth on DSKBBY8HB2PROD with RULES
47 17 CFR 229.407(h); 17 CFR 240.14a–101—
investigations, preparing for and 33–8056 (Jan. 22, 2002) [67 FR 3746 (Jan. 25, 2002)];
complying with proposed or current Management’s Discussion and Analysis of Financial Schedule 14A.
Condition and Results of Operations; Certain 48 Final Rule: Proxy Disclosure Enhancements,
legislation, engaging in remediation Investment Company Disclosures, Release No. 33– Release No. 33–9089 (Dec. 16, 2009) [74 FR 68334
efforts, addressing harm to reputation, 6835 (May 18, 1989) [54 FR 22427 (May 24, 1989)]. (Dec. 23, 2009)], available at http://www.sec.gov/
and the loss of competitive advantage 43 17 CFR 229.303(a). rules/final/2009/33-9089.pdf.
44 17 CFR 229.101; 17 CFR 249.220f. 49 See Item 407(h) of Regulation S–K [17 CFR
41 17 CFR 229.303; 17 CFR 249.220f. 45 17 CFR 229.103. 229.407(h)].
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/5.svg)
![Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations 8171
B. Policies and Procedures disclosure specifically required, but should consider whether there are
should also ensure timely collection and deficiencies in disclosure controls and
1. Disclosure Controls and Procedures
evaluation of information potentially procedures that would render them
Cybersecurity risk management subject to required disclosure, or ineffective.
policies and procedures are key relevant to an assessment of the need to
elements of enterprise-wide risk 2. Insider Trading
disclose developments and risks that
management, including as it relates to pertain to the company’s businesses.53 Companies and their directors,
compliance with the federal securities Information also must be evaluated in officers, and other corporate insiders
laws. We encourage companies to adopt the context of the disclosure should be mindful of complying with
comprehensive policies and procedures requirement of Exchange Act Rule 12b– the laws related to insider trading in
related to cybersecurity and to assess 20.54 When designing and evaluating connection with information about
their compliance regularly, including disclosure controls and procedures, cybersecurity risks and incidents,
the sufficiency of their disclosure companies should consider whether including vulnerabilities and
controls and procedures as they relate to such controls and procedures will breaches.58 It is illegal to trade a
cybersecurity disclosure. Companies appropriately record, process, security ‘‘on the basis of material
should assess whether they have summarize, and report the information nonpublic information about that
sufficient disclosure controls and related to cybersecurity risks and security or issuer, in breach of a duty of
procedures in place to ensure that incidents that is required to be disclosed trust or confidence that is owed directly,
relevant information about in filings. Controls and procedures indirectly, or derivatively, to the issuer
cybersecurity risks and incidents is should enable companies to identify of that security or the shareholders of
processed and reported to the cybersecurity risks and incidents, assess that issuer, or to any other person who
appropriate personnel, including up the and analyze their impact on a is the source of the material nonpublic
corporate ladder, to enable senior company’s business, evaluate the information.’’ 59 As noted above,
management to make disclosure significance associated with such risks information about a company’s
decisions and certifications and to and incidents, provide for open cybersecurity risks and incidents may
facilitate policies and procedures communications between technical be material nonpublic information, and
designed to prohibit directors, officers, experts and disclosure advisors, and directors, officers, and other corporate
and other corporate insiders from make timely disclosures regarding such insiders would violate the antifraud
trading on the basis of material risks and incidents. provisions if they trade the company’s
nonpublic information about Exchange Act Rules 13a–14 and 15d– securities in breach of their duty of trust
cybersecurity risks and incidents.50 14 55 require a company’s principal or confidence while in possession of
Pursuant to Exchange Act Rules 13a– executive officer and principal financial that material nonpublic information.60
15 and 15d–15, companies must officer to make certifications regarding Beyond the antifraud provisions of
maintain disclosure controls and the design and effectiveness of the federal securities laws, companies
procedures, and management must disclosure controls and procedures,56 and their directors, officers, and other
evaluate their effectiveness.51 These and Item 307 of Regulation S–K and corporate insiders must comply with all
rules define ‘‘disclosure controls and Item 15(a) of Exchange Act Form 20–F other applicable insider trading related
procedures’’ as those controls and other require companies to disclose rules. Many exchanges require listed
procedures designed to ensure that conclusions on the effectiveness of companies to adopt codes of conduct
information required to be disclosed by disclosure controls and procedures.57 and policies that promote compliance
the company in the reports that it files These certifications and disclosures with applicable laws, rules, and
or submits under the Exchange Act is (1) should take into account the adequacy regulations, including those prohibiting
‘‘recorded, processed, summarized and of controls and procedures for insider trading.61 We encourage
reported, within the time periods identifying cybersecurity risks and companies to consider how their codes
specified in the Commission’s rules and incidents and for assessing and of ethics 62 and insider trading policies
forms,’’ and (2) ‘‘accumulated and analyzing their impact. In addition, to take into account and prevent trading on
communicated to the company’s the extent cybersecurity risks or
management . . . as appropriate to incidents pose a risk to a company’s 58 In addition to promoting full and fair
allow timely decisions regarding ability to record, process, summarize, disclosure, the antifraud provisions of the federal
required disclosure.’’ 52 and report information that is required securities laws prohibit insider trading, which
harms not only individual investors but also the
A company’s disclosure controls and to be disclosed in filings, management very foundations of our markets by undermining
procedures should not be limited to investor confidence in the integrity of those
53 See Final Rule: Certification of Disclosure in markets. 17 CFR 243.100. Final Rule: Selective
50 See Final Rule: Certification of Disclosure in Companies’ Quarterly and Annual Reports, Release Disclosure and Insider Trading, Release No. 34–
Companies’ Quarterly and Annual Reports, Release No. 33–8124 (Aug. 28, 2002) [67 FR 57276 (Sept. 43154 (Aug. 15, 2000) [65 FR 51716 (Aug. 24,
No. 33–8124 (Aug. 28, 2002) [67 FR 57276 (Sept. 9, 2002)], available at https://www.sec.gov/rules/ 2000)].
9, 2002)], available at https://www.sec.gov/rules/ final/33-8124.htm (‘‘We believe that the new rules 59 Rule 10b5–1(a) of the Exchange Act [17 CFR
final/33-8124.htm (‘‘We believe that, to assist will help to ensure that an issuer’s systems grow 240.10b–5–1(a)].
principal executive and financial officers in the and evolve with its business and are capable of 60 This would not preclude directors, officers, and
discharge of their responsibilities in making the producing Exchange Act reports that are timely, other corporate insiders from relying on Exchange
required certifications, as well as to discharge their accurate and reliable.’’). Act Rule 10b5–1 if all conditions of that rule are
54 17 CFR 240.12b–20.
responsibilities in providing accurate and complete met.
information to security holders, it is necessary for 55 17 CFR 240.13a–14; 17 CFR 240.15d–14. 61 See e.g., NYSE Listed Company Manual Section
companies to ensure that their internal
jstallworth on DSKBBY8HB2PROD with RULES
56 Section 302 of the Sarbanes-Oxley Act of 2002 303A.10, which states in relevant part that every
communications and other procedures operate so required the Commission to adopt final rules under NYSE ‘‘listed company should proactively promote
that important information flows to the appropriate which the principal executive officer or officers and compliance with laws, rules and regulations,
collection and disclosure points in a timely the principal financial officer or officers, or persons including insider trading laws. Insider trading is
manner.’’); see also Section 10(b) of the Exchange providing similar functions, of an issuer each must both unethical and illegal, and should be dealt with
Act and Rule 10b–5 thereunder [15 U.S.C. 78j(b); 17 certify the information contained in the issuer’s decisively.’’ See also NASDAQ Listing Rule 5610
CFR 240.10b–5]. quarterly and annual reports. Public Law 107–204, and Section 406(c) of the Sarbanes-Oxley Act of
51 17 CFR 240.13a–15; 17 CFR 240.15d–15. 116 Stat. 745 (2002). 2002.
52 Id. 57 17 CFR 229.307; 17 CFR 249.220f. 62 Item 406 of Regulation S–K [17 CFR 229.406].
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/6.svg)
![8172 Federal Register / Vol. 83, No. 38 / Monday, February 26, 2018 / Rules and Regulations
the basis of material nonpublic information to the public.66 We expect Office Box mailing address for filing
information related to cybersecurity companies to have policies and notices of appeal with the Board. 62 FR
risks and incidents. The Commission procedures to ensure that any 10666. The Department added the P.O.
believes that it is important to have well disclosures of material nonpublic Box to augment timely receipt of
designed policies and procedures to information related to cybersecurity incoming mail. Over time, the
prevent trading on the basis of all types risks and incidents are not made Department has found this
of material non-public information, selectively, and that any Regulation FD supplemental process is not needed to
including information relating to required public disclosure is made ensure the timely receipt of mail.
cybersecurity risks and incidents. simultaneously (in the case of an Therefore, to save costs, the Department
In addition, while companies are intentional disclosure as defined in the is eliminating the P.O. Box and
investigating and assessing significant rule) or promptly (in the case of a non- amending its regulations to direct that
cybersecurity incidents, and intentional disclosure) and is otherwise all notices of appeal and
determining the underlying facts, compliant with the requirements of that correspondence filed by mail be sent
ramifications and materiality of these regulation.67 directly to the Board’s offices in the
incidents, they should consider whether By the Commission. Frances Perkins Department of Labor
and when it may be appropriate to Building in Washington, DC. This
Dated: February 21, 2018.
implement restrictions on insider document amends the relevant section
Brent J. Fields,
trading in their securities. Company in the Code of Federal Regulations
insider trading policies and procedures Secretary. governing the procedural rules of the
that include prophylactic measures can [FR Doc. 2018–03858 Filed 2–23–18; 8:45 am] Board in order to present the new
protect against directors, officers, and BILLING CODE 8011–01–P mailing address.
other corporate insiders trading on the
basis of material nonpublic information II. Statutory Authority
before public disclosure of the DEPARTMENT OF LABOR This rule is promulgated by the
cybersecurity incident. As noted above, Secretary of Labor under the authority
we believe that companies would be Benefits Review Board of 5 U.S.C. 301, as well as the Black
well served by considering how to avoid Lung Benefits Act, 30 U.S.C. 901 et seq.,
the appearance of improper trading 20 CFR Part 802 and the Longshore and Harbor Workers’
during the period following an incident RIN 1290–AA32 Compensation Act, 33 U.S.C. 901 et seq.
and prior to the dissemination of
III. Rulemaking Analyses
disclosure. Change of Mailing Address for the
Benefits Review Board A. Administrative Procedure Act
3. Regulation FD and Selective
Disclosure AGENCY: Benefits Review Board, Labor. Section 553(b)(3) of the
Administrative Procedure Act (APA), 5
Companies also may have disclosure ACTION: Final rule; technical
U.S.C. 553(b)(3), provides that an
obligations under Regulation FD in amendment.
agency is not required to publish a
connection with cybersecurity matters.
SUMMARY: This rule amends one section notice of proposed rulemaking in the
Under Regulation FD, ‘‘when an issuer,
of the Benefits Review Board’s Federal Register for ‘‘rules of agency
or person acting on its behalf, discloses
regulations in order to change the organization, procedure, or practice.’’ 5
material nonpublic information to
mailing address for notices of appeal U.S.C. 553(b)(3)(A). Rules are also
certain enumerated persons it must
and correspondence sent to the Board. exempt when an agency finds ‘‘good
make public disclosure of that
cause’’ that notice and comment
information.’’ 63 The Commission DATES: This rule is effective March 28,
rulemaking procedures would be
adopted Regulation FD owing to 2018.
‘‘impracticable, unnecessary, or contrary
concerns about companies making FOR FURTHER INFORMATION CONTACT: Mr. to the public interest.’’ 5 U.S.C.
selective disclosure of material Thomas Shepherd, Clerk of the 553(b)(3)(B). The Department has
nonpublic information to certain Appellate Boards, at 202–693–6319 or determined that this rulemaking meets
persons before making full disclosure of Shepherd.Thomas@dol.gov. the notice and comment exemption
that same information to the general SUPPLEMENTARY INFORMATION: requirements in 5 U.S.C. 553(b)(3)(A)
public.64
In cases of selective disclosure of I. Background and (B). The Department’s revision
material nonpublic information related makes a technical and non-substantive
On March 7, 1997, the Department change to the rules of procedure before
to cybersecurity, companies should issued a technical amendment to 20
ensure compliance with Regulation FD. the Benefits Review Board and does not
CFR 802.204 to include a U.S. Post alter any substantive standard. The
Companies and persons acting on their
behalf should not selectively disclose Department does not believe that public
persons associated with an investment advisor; (3) comment is necessary for this minor
material, nonpublic information an investment company or persons affiliated with
regarding cybersecurity risks and an investment company; or (4) a holder of the revision.
incidents to Regulation FD enumerated issuer’s securities under circumstances in which it
is reasonably foreseeable that the person will trade
B. Regulatory Flexibility Act, Unfunded
persons 65 before disclosing that same in the issuer’s securities on the basis of the Mandates Reform Act, and Small
information. 17 CFR 243.100(b)(1). Business Regulatory Enforcement
63 17 CFR 243.100. Final Rule: Selective
jstallworth on DSKBBY8HB2PROD with RULES
66 Final Rule: Selective Disclosure and Insider
Fairness Act
Disclosure and Insider Trading, Release No. 34– Trading, Release No. 34–43154 (Aug. 15, 2000) [65
43154 (Aug. 15, 2000) [65 FR 51716 (Aug. 24, FR 51716 (Aug. 24, 2000)]. Because no notice of proposed
2000)]. 67 ‘‘Under the regulation, the required public rulemaking is required for this rule
64 Id.
disclosure may be made by filing or furnishing a under section 553(b) of the APA, the
65 Regulation FD applies generally to selective Form 8–K, or by another method or combination of
disclosures made to persons outside the issuer who methods that is reasonably designed to effect broad,
requirements of the Regulatory
are (1) a broker or dealer or persons associated with non-exclusionary distribution of the information to Flexibility Act at 5 U.S.C. 601(2) do not
a broker or dealer; (2) an investment advisor or the public.’’ Id. at 3. apply to this rule, and the rule is not
VerDate Sep<11>2014 14:55 Feb 23, 2018 Jkt 244001 PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 E:\FR\FM\26FER1.SGM 26FER1](https://thefederalregister.org/doc/83_FR_8204/page/7.svg)
Document Created: 2018-02-24 01:00:21
Document Modified: 2018-02-24 01:00:21
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Interpretation. | |
| Dates | Applicable February 26, 2018. | |
| Contact | Questions about specific filings should be directed to staff members responsible for reviewing the documents the company files with the Commission. For general questions about this release, contact the Office of the Chief Counsel at (202) 551-3500 in the Division of Corporation Finance, U.S. Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549. | |
| FR Citation | 83 FR 8166 | |
| CFR Citation | 17
CFR
229 17 CFR 249 |
2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR