By John I. Sanders and Lauren HendersonOn February 13, 2018, SEC Commissioner Kara Stein discussed the significance of cybersecurity in a speech at Stanford University.[i] Stein argued in her speech that cybersecurity is one of the biggest challenges facing our economy because cybersecurity attacks and incidents can have a material effect on companies and affect millions of people.[ii] Stein went on to criticize current cybersecurity disclosures made by regulated entities (e.g., public companies and mutual funds) as boilerplate and failing to provide useful or meaningful information.[iii] Stein believes corporations (with SEC oversight) should do more to ensure protection of investor and company information from cyber attacks.[iv] On February 21, 2018, the SEC followed up Stein’s speech by releasing an interpretative guidance on public company cybersecurity disclosures (the “2018 Guidance”) that reinforced and expanded guidance issued in 2011.[v] The 2018 Guidance reminds companies that current SEC disclosure requirements include the obligation to disclose cybersecurity risks and incidents.[vi] The 2018 Guidance also describes certain factors companies should consider when determining whether a cybersecurity risk or incident is material.[vii] These factors include the importance of the compromised information, impact on company operations, and range of harm an incident may cause.[viii] The 2018 Guidance states that companies should provide useful information to investors while cautioning that companies must avoid both overly detailed disclosures that could compromise their cybersecurity efforts and disclosures that are too generic.[ix] The obligations and considerations detailed in the 2018 Guidance are envisioned to fit within a comprehensive compliance program. To that end, companies should have “comprehensive policies and procedures related to cybersecurity” and “assess their compliance regularly.”[x] In a statement announcing the 2018 Guidance, Chairman Clayton asserted that “the guidance will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information to investors.”[xi] Chairman Stein has indicated that the 2018 Guidance may be the SEC’s first step in addressing cybersecurity issues as it “provides only modest changes to the 2011 staff guidance.”[xii] While the 2018 Guidance contains sound advice, it also creates difficulties for companies. Most significantly, it may be difficult for companies to find the appropriate balance between disclosing meaningful information and protecting their information systems. To tailor appropriate disclosures, companies will need the assistance of legal counsel and, potentially, other third party service providers. Companies should act immediately to ensure alignment with the 2018 Guidance as cybersecurity is an examination priority of the Office of Compliance Inspections and Examinations for fiscal year 2018.[xiii] If you have any questions about developing cybersecurity policies or disclosure obligations, please feel free to contact us. John I. Sanders and Lauren Henderson are associates based in the firm’s Winston-Salem office. [i] SEC Commissioner Kara M. Stein, Mutualism: Reimagining the Role of Shareholders in Modern Corporate Governance, Stanford, California (Feb. 13, 2018), available at https://www.sec.gov/news/speech/speech-stein-021318. [ii] Id. [iii] Id. [iv] Id. [v] Division of Corporate Finance, SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-10459, 34-82746 (Feb. 21, 2018), available at https://www.sec.gov/news/press-release/2018-22. [vi] Id. [vii] Id. [viii] Id. [ix] Id. [x] Id. [xi] SEC Chairman Jay Clayton, Statement on Cybersecurity Interpretive Guidance (Feb. 21, 2018), available at https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21. [xii] SEC Commissioner Kara M. Stein, Statement on Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018), available at https://www.sec.gov/news/public-statement/statement-stein-2018-02-21. [xiii] SEC, SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities (Feb. 7, 2018), available at https://www.sec.gov/news/press-release/2018-12.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.