Paul Ferrillo is partner at Seyfarth Shaw LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a Professor at Minnesota State University.
The Securities and Exchange Commission’s (the “SEC”) very recent settled enforcement action against First American Financial Corporation (“FAF”), with an agreed-upon cease and desist order and a monetary penalty of almost $500,000 reaffirmed what we have been preaching —when it comes to the cybersecurity disclosures of public companies, the SEC is watching closely for compliance both under applicable disclosure law (the Securities and Exchange Act of 1934) and under its 2018 Cybersecurity Guidance, which was issued in the wake of two noteworthy breaches, Yahoo and Equifax.
More directive cyber risk disclosure requirements are likely coming from the SEC this fall. And while cyber risk disclosure isn’t a “get out of jail free” card in the event of litigation, timely and accurate disclosure can significantly reduce a company’s exposure to litigation risk.
That the SEC was already “watching” in regard to cyber risk disclosure should be no surprise to registrants as the SEC first issued cybersecurity guidance in 2011. While no disclosure requirements at that time explicitly referred to cybersecurity risks and cyber incidents, the SEC’s 2011 Guidance clarified that companies may nevertheless be obliged to disclose “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” The SEC subsequently issued its 2018 Guidance to summarize the guidelines concerning cybersecurity disclosure requirements, to reinforce and expand upon the 2011 Guidance, and to address three topics not previously addressed: (1) the significance of cybersecurity risk management procedures and policies, (2) board oversight of cybersecurity, and (3) insider trading restrictions concerning cybersecurity.
