On October 13, 2011, the SEC’s Division of Corporation Finance issued “CF Disclosure Guidance: Topic No.2, Cybersecurity,” addressing disclosure obligations relating to cybersecurity risks and cyber incidents. Pursuant to the Securities Act of 1933 and the Securities Exchange Act of 1934, publicly-owned companies are required to provide timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision. In light of the increased use of digital technologies in commerce and recent high-profile data breach and cybersecurity related events, the SEC decided to provide guidance regarding what, if any, disclosures should be provided about cybersecurity matters in light of a company’s specific facts and circumstances.
Negative Effects of Cyber Attack
The negative effects of a cyber attack were outlined by the SEC as:
- Remediation costs including liability for stolen assets or information, and repairing system damage. Remediation costs would include incentives offered to customers to maintain the business relationship after the attack.
- Increased cybersecurity protection costs including organizational changes, deploying additional personnel and protection technologies, training employees and engaging third party experts and consultants.
- Lost revenues resulting from unauthorized use of proprietary information or the failure to attract customers following an attack.
- Litigation and reputational damage affecting customer or investor confidence.
Depending on a particular company’s facts and circumstances, and to the extent such facts and circumstances were material, the SEC indicated that appropriate disclosures might include:
- Discussion of the company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences.
- To the extent the company outsources functions that have material cybersecurity risks, descriptions of those functions and how the company addresses those risks.
- Description of cyber incidents experienced by the company that are individually or in the aggregate, material, including a description of the costs and consequences.
- Risks related to cyber incidents that may remain undetected for an extended period.
- Description of relevant insurance coverage.
The SEC indicated that disclosures should be made in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) “…if costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”
Companies will also need to indicate in a Description of Business disclosure if “…one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions,” or in the Legal Proceeding disclosure if a cyber incident is involved in a material pending legal proceeding to which a registrant or any of its subsidiaries is a party.
The SEC was mindful that the disclosure of such information might itself increase the risk that a company might provide a roadmap for those who seek to infiltrate a company’s network security and target it for a cyber attack, and indicated that, “[w]hile registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity.”
What Should a Company Do?
To comply with the regulation S-K Item 503(c) requirements for cybersecurity risk factor disclosures, companies will need to evaluate how their internal data security policies and procedures address the particular cybersecurity risks that they face. Companies will need to disclose material past cybersecurity incidents, future risks and any foreseeable consequences resulting from a cybersecurity breach. Recent EDGAR filings with the SEC illuminate how public companies have begun to make cybersecurity disclosures. Below is a short excerpt derived from the BNA Securities Regulation & Law Report of 10-K cybersecurity disclosures made by selected companies in various industries.
Source: BNA Securities Regulation and Law Report, Vol. 43, No. 41; Pg. 2081-2136, October 17, 20111
click here to view table