In October of 2011, the U.S. Securities and Exchange Commission (“SEC”) issued guidance regarding a public company’s obligations to disclose cybersecurity risks and cyber incidents (the “Cybersecurity Disclosure Guidance”).1 The Cybersecurity Disclosure Guidance applies to all SEC registrants and relates to disclosures under the Securities Act of 1933 and the Securities Exchange Act of 1934.
The SEC staff acknowledged that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents. The staff made clear, however, that there are a number of disclosure requirements that might impose an obligation on an issuer to disclose such risks and incidents. The Cybersecurity Disclosure Guidance then identified and discussed certain of those requirements, including disclosures required in risk factors, MD&A, business descriptions, legal proceedings, financial statements and disclosure controls and procedures. The staff stated that as with other operational and financial matters, issuers “should review, on an ongoing basis, the adequacy of their disclosures relating to cybersecurity risks and cyber incidents,” with a view to ensuring timely, comprehensive and accurate information that a reasonable investor would consider material. The staff made clear that if a cyber incident occurs, such as a data breach, registrants should be certain to disclose any material impact of the incident on their business operations and explain how they have taken steps to mitigate damage.
Since the original publication of the Cybersecurity Disclosure Guidance, the SEC has remained focused on the implications of cybersecurity on public companies and regulated financial service firms. In 2014 the SEC’s Office of Compliance Inspections and Examinations issued a national exam program alert providing a framework for assessing cyber risk and announcing a plan to examine a sampling of registered broker-dealers and investment advisors to review their cybersecurity preparedness. All public companies should evaluate their current disclosures to ensure that they are consistent with the Cybersecurity Disclosure Guidance and should consider implementing a readiness plan to ensure appropriate and timely disclosures in the event of a cyber incident.
Click here to view the table.