On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued a statement and interpretive guidance on issuers’ cybersecurity disclosures. For a general discussion of the guidance, see Davis Polk’s recent Client Memorandum. Although the guidance does not impose any new requirements on issuers, the SEC’s emphasis on Board oversight of cybersecurity provides new meaning on existing requirements.
The SEC notes that “[t]o the extent cybersecurity risks are material to a company’s business,” its disclosure should include “the nature of the board’s role in overseeing the management” of those cybersecurity risks. Moreover, the SEC states that the board of directors’ engagement with senior management on cybersecurity risks is indicative of the board’s overall ability to discharge its risk oversight duties. In short, the SEC’s guidance sets the expectation that boards are actively engaged in cybersecurity issues. Some examples of steps that boards can take in discharging their oversight role for cybersecurity include asking management to report to the board, or to a committee of the board, on:
- Whether a risk assessment has been conducted on the company’s most sensitive electronic and hard-copy information, and if so, the results of that assessment;
- Whether the company’s cybersecurity program meets industry standards and regulatory obligations;
- Have the company’s breach response procedures been tested, including those relating to business continuity;
- What training is provided to new and existing employees on cybersecurity awareness;
- What internal and external resources are being devoted to cybersecurity;
- Does the company have the appropriate amount and scope of cybersecurity insurance coverage;
- What cybersecurity due diligence is conducted on third parties with access to the company’s sensitive data;
- Contacts that the company has established with law enforcement.
Davis Polk, through its Cybersecurity Assessment Portal, provides dozens of resources to help clients understand their evolving legal and regulatory cybersecurity obligations. For more information, email us at firstname.lastname@example.org.
The authors gratefully acknowledge the assistance of law clerks Michelle Adler, Daniela Dekhtyar-McCarthy, and Molly O’Malley Clarke in preparing this entry.