The Securities and Exchange Commission (SEC) recently published interpretive guidance on public company cybersecurity disclosures, including publicly traded real estate investment trusts. While the new guidance confirms the SEC’s intensified focus on cybersecurity disclosures, by the SEC’s own characterization, it primarily reinforces and somewhat expands upon guidance previously issued by the SEC staff in October 2011. In fact, much of the language included in this new guidance tracks word for word with the staff’s 2011 guidance. While the consensus appears to be that this “new” guidance does not represent a significant change to existing SEC rules and guidance, we believe it still warrants vital attention due not only to the importance of the subject matter, but also to the emphasis on board oversight, a growing focus in this area. The full text of the SEC’s statement and guidance can be found here.
Reinforcing 2011 Guidance. The new interpretive guidance provides important reminders regarding SEC rules that may require disclosure of cybersecurity matters, including an outline of (1) disclosure obligations in annual and quarterly reports and under the Securities Act of 1933, (2) the use of current reports on Form 8-K as tools to update registration statements and report cybersecurity incidents (without imposing a specific current reporting obligation), (3) materiality considerations as they relate to cybersecurity matters, and (4) the sections of public filings that may prompt disclosure: Risk Factors, MD&A, Description of Business, Legal Proceedings and Financial Statement Disclosures. As in the 2011 guidance, the new guidance emphasizes that a company’s disclosure should be “tailored to their particular cybersecurity risks and incidents.” The new guidance also provides additional insight on factors the SEC believes should be weighed when assessing the materiality of a particular incident, including the importance of any compromised information, the impact on the company’s operations, reputation, financial performance and third party relationships and the possibility of litigation or regulatory action.
Board Oversight of Cybersecurity Risk. A disclosure area that was not previously highlighted in the 2011 guidance but that is notably explored in the new guidance is board risk oversight. Under applicable law, companies are required to disclose the extent of the board of directors’ role in risk oversight. The new guidance is clear that, to the extent cybersecurity risks are material to a company’s business, the SEC believes the risk oversight discussion in a company’s proxy statement should include disclosure regarding the board’s role in overseeing management of cybersecurity risks.
The Importance of Disclosure Controls and Procedures. The new guidance emphasizes the need to maintain disclosure controls and procedures designed to ensure timely and accurate disclosure of cybersecurity matters and focuses on whether those controls sufficiently escalate the information regarding cybersecurity incidents and risks up the corporate ladder to top management, including the CEO and CFO providing required certifications. The SEC advises that certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents.
Implications Under Insider Trading Laws and Regulation FD. The new guidance reminds companies that information about cybersecurity incidents and risks may constitute material nonpublic information and encourages a re-evaluation of insider trading policies and procedures to confirm they adequately address material nonpublic information related to cybersecurity matters.
Key Takeaways for Publicly-Traded REITs
- The SEC is serious about meaningful cybersecurity disclosure. There is no doubt that if a company experiences a breach, its cybersecurity disclosures will come under scrutiny. REITs should ensure that there is a firm understanding of the scope of information collected, stored or used by the REIT in the conduct of its business and the risk related to such information. REIT Advisor has previously addressed the topic of personal information collected in the retail space and its implications for retail REITs. REITs that directly interact with consumers face comparable considerations in their operations, including multifamily, single-family or seniors-housing focused REITs where information regarding individuals is exchanged. Business-to-business REITs have operations and encounter information that is a potential target of bad actors, including due to the volume of goods moved through logistics facilities by customers or financial wherewithal of healthcare providers.
- Expect increasing emphasis on board oversight not only from the SEC but from shareholders, customers and other stakeholders. The board should have a firm understanding of its role and oversight responsibilities with respect to cybersecurity. Boards should take affirmative steps to confirm directors and trustees understand the risks and are comfortable with how the board oversees those risks, which may include design and implementation of response plans or training sessions for directors and trustees.
- Revisit disclosure controls and insider trading and selective disclosure policies and procedures to confirm cybersecurity incidents and risks are adequately prepared for. Companies should ensure senior decision-makers are receiving adequate information about cybersecurity matters to enable them to make informed disclosure and insider trading decisions and “whiteboard” how a significant incident would play out under applicable policies and procedures.