Registrants, are you worried that the SEC will focus its watchful eye on your filings? In November 2018, Kyle Moffatt, Chief Accountant at the SEC’s Division of Corporation Finance, said at the Current Financial Reporting Issues Conference in New York that companies should step up their level of disclosure about cybersecurity, Brexit and the planned phaseout of the London Interbank Offered Rate (LIBOR). In fact, SEC Chairman Jay Clayton echoed that sentiment in a December 2018 speech covering SEC rulemaking in 2018, rulemaking to come and challenges posed by Brexit, LIBOR transition and cybersecurity risks.
This blog post is the first of three installments focusing on the disclosure detail that the SEC is looking for in your corporate filings, along with examples of SEC comments on certain disclosures and companies’ related responses so that you can see how other public companies are addressing these comments. In this installment, we cover cybersecurity disclosures. Part 2 will do the same in the context of Brexit, while Part 3 will have as its focus the LIBOR phaseout.
Cybersecurity disclosure, disclosure, disclosure
Cybersecurity disclosure review is among the SEC’s key priorities in 2019, especially as cyber threats and incidents continue to grow with even greater far-reaching effects. In carrying out this priority, SEC Staff, through their interpretive guidance and comment letters, attempt to steer registrants away from the generic cybersecurity disclosures that have become so commonplace and towards meaningful disclosures that help guide investors’ decision-making process, particularly disclosures that are tailored to the specific business, legal and reputational risks that registrants face from cyber threats.
The SEC wants registrants to align their cybersecurity disclosures with its Interpretive Release No. 33-10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, issued in February 2018 (available on Thomson Reuters Checkpoint). That interpretive guidance reinforced the Staff’s October 2011 guidance in CF Disclosure Guidance: Topic No. 2 and expanded upon it by addressing the importance of cybersecurity policies and procedures along with the application of insider trading prohibitions in the cybersecurity context.
The crux of the guidance is that the SEC is looking for detailed disclosure about cybersecurity risks and incidents in your Securities Act and Securities Exchange Act (Exchange Act) registration statements and in your Exchange Act periodic and current reports, including:
- Risks associated with cybersecurity and cybersecurity incidents that make investments in your securities speculative or risky (e.g., costs associated with insurance coverage relating to cybersecurity incidents, if applicable; existing or pending laws and regulations that may affect the requirements that you’re subject to relating to cybersecurity and associated costs);
- Cost of ongoing cybersecurity efforts;
- Costs and other consequences of cybersecurity incidents and risks of potential cybersecurity incidents;
- Nature of your board of director’s role in overseeing the management of cybersecurity risk;
- Extent to which cybersecurity affects your products, services and relationships;
- Cybersecurity-related legal proceedings;
- Cybersecurity incidents and resultant risks that affect a company’s financial statements;
- Adoption of cybersecurity risk management policies and procedures; and
- Extent to which insider trading policies consider material non-public information related to cybersecurity.
Cybersecurity disclosures under scrutiny
To help you understand what the SEC expects when it comes to the level of cybersecurity disclosure, below are three such disclosures that were the subject of SEC comments. Each case highlights the company’s original disclosure, the SEC comments and the company’s amended disclosure, and in each one, SEC Staff didn’t raise any issue with the revised disclosure. This will hopefully help to drive home the importance of these disclosures being detailed enough to enable investors to evaluate material cybersecurity risks.
1) Luckin Coffee Inc. (Form F-1 Draft Registration Statement (DRS) filed February 22, 2019)
- Original disclosure (Business—User Privacy and Data Security, page 101): “Various laws and regulations, such as the Cyber Security Law of the PRC, govern the collection, use, retention, sharing, and security of the personal data we receive from and about our users. Privacy groups and government bodies have increasingly scrutinized the ways in which companies link personal identities and data associated with particular users with data collected through the internet, and we expect such scrutiny to continue to increase. We have adopted policies, procedures and guidelines to comply with these laws and regulations and protect the personal privacy of our customers and the security of their data.”
- SEC comments (Form UPLOAD filed March 21, 2019): “We note the disclosure here that you have adopted policies, procedures and guidelines to comply with cybersecurity laws and regulations and protect the personal privacy of your customers and the security of their data. We also note your risk factor disclosure on page 22 that you ‘have in the past and are likely again in the future to be subject to these types of attacks, although to date no such attack has resulted in any material damages or remediation costs.’ Since it appears that cybersecurity risks are material to your business, please disclose the nature of the board’s role in overseeing your cybersecurity risk management, the manner in which the board administers this oversight function and any effect this has on the board’s leadership structure.”
- Amended disclosure (see Form F-1 DRS/A filed March 25, 2019, page 110 or Form F-1 filed April 22, 2019, page 121): The company added the following to the end of the original disclosure: “Our board of directors has general oversight power over cybersecurity issues and delegates the daily supervision responsibility to our chief executive officer, Ms. Qian. The head of our IT department directly reports cybersecurity status to Ms. Qian, and in case of a cybersecurity incident, Ms. Qian will report the incident to our board of directors to take appropriate and timely measures in response to the incident.”
2) Tectonic Financial, Inc. f/k/a T Acquisition, Inc. (Form S-1 DRS filed February 13, 2019)
- Original Disclosure (Risk Factors, page 50): The risk factor beginning with “The occurrence of fraudulent activity, breaches of our information security, and cybersecurity attacks could adversely affect our ability to conduct our business, manage our exposure to risk or expand our businesses, result in the disclosure or misuse of confidential or proprietary information, increase our costs to maintain and update our operational and security systems and infrastructure, and adversely impact our results of operations, liquidity and financial condition, as well as cause legal or reputational harm.”
- SEC Comments (Form UPLOAD filed March 12, 2019): “Please clarify whether you have experienced any of the referenced types of breaches. Refer to CF Disclosure Guidance: Topic No. 2.”
- Amended Disclosure (see Form S-1 DRS/A filed April 3, 2019, page 54 or Form S-1 filed April 18, 2019, pages 55-56 ): “… Although to date we have not experienced any material fraudulent activity, breaches of our information security or cyber-attack, a successful penetration or circumvention of system security could cause us negative consequences, including loss of clients and business opportunities, disruption to our operations and business, misappropriation or destruction of our confidential information and/or that of our clients, or damage to our clients’ and/or third parties’ computers or systems, and could expose us to additional regulatory scrutiny and result in a violation of applicable privacy laws and other laws, litigation exposure, regulatory fines, penalties or intervention, loss of confidence in our security measures, reputational damage, reimbursement or other compensatory costs, additional compliance costs, and could adversely impact our results of operations, liquidity and financial condition.”
3) Lyft, Inc. (Form S-1 DRS filed December 6, 2018)
- Original Disclosure: The entire “Management” section covering pages 132 through 140.
- SEC Comments (Form UPLOAD filed February 4, 2019): “The Board’s structure with regard to risk oversight and cybersecurity is unclear. See Item 407(h) of Regulation S-K and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures dated February 26, 2018.”
- Amended Disclosure (see Form S-1 DRS/A filed February 7, 2019, page 140 or Form S-1 filed March 1, 2019, page 162): The company added to the “Management” section a new subsection titled “Role of Board of Directors in Risk Oversight Process,” as follows: “Our board of directors has responsibility for the oversight of our risk management processes and, either as a whole or through its committees, regularly discusses with management our major risk exposures, their potential impact on our business and the steps we take to manage them. The risk oversight process includes receiving regular reports from board committees and members of senior management to enable our board of directors to understand our risk identification, risk management and risk mitigation strategies with respect to areas of potential material risk, including operations, finance, legal, regulatory, cybersecurity, strategic and reputational risk.”
Registrants, you should be mindful of the cybersecurity interpretive guidance and reflect on the above and other SEC comment letters and company responses (available on Thomson Reuters Checkpoint) as you prepare your cybersecurity disclosures. And stay tuned for the next installments covering Brexit and the planned LIBOR phaseout.