Responding to the increased risk to companies with respect to cyber attacks and efforts to prevent such attacks, the Securities and Exchange Commission’s Division of Corporation Finance issued CF Disclosure Guidance: Topic No. 2, which provides guidance to public companies as to how to think about whether they should provide disclosure around cybersecurity or cybersecurity incidents. Current SEC rules do not explicitly require that companies make disclosures about cybersecurity risks or cybersecurity incidents, whether through deliberate attack or unintentional events, or their impact on a company’s financial condition or competitive position. Nonetheless, as we’ve previously described in our January 2011 advisory, What Needs to be Disclosed About Data Privacy and Security in SEC Filings?, certain existing SEC rules that apply to various filings such as quarterly and annual reports and registration statements, as well as other securities laws, require disclosure of certain “material” events and conditions listed in such rules. While the new SEC guidance does not create any new obligations, it reminds companies that efforts to protect a company from a cybersecurity incident or the incident itself may very well compel disclosure under such existing rules, and in addition, must be considered in a company’s evaluation of its disclosure controls and procedures.
The SEC makes clear that it is not requiring disclosure of a “roadmap” for potential cyber attackers, but rather full, timely, and accurate disclosure about risks and events that a reasonable investor would consider important to an investment decision. That said, such disclosure should not be “boilerplate” or disclosure that would apply to any company or any offering.
The SEC guidance covers the following key items:
Item 503(c) of the SEC’s Regulation S-K requires a company to disclose the most significant risk factors that make an investment in a company “speculative or risky,” to the extent they are not generally applicable to “any issuer” or “any offering”. The SEC guidance reminds companies to consider whether the risk of cybersecurity incidents is among the most significant factors.
Cybersecurity risks might relate to, among other things, potential costs and consequences arising from cybersecurity, risks from outsourced functions, risks related to undetected cybersecurity incidents or insurance coverage risks.
When determining whether to include cybersecurity risks among its risk factors, a company should consider the adequacy of the cybersecurity measures that they have put in place in an effort to reduce the risks in the context of their industry and risks to that cybersecurity, including threatened attacks.
Management’s Discussion and Analysis of Financial Condition and Results of Operations
The SEC guidance reiterates that Item 303 of Regulation S-K, which provides for management’s discussion and analysis of the company’s financial condition and results of operations (MD&A), requires a company to provide disclosure if the costs or other consequences associated with one or more known cybersecurity incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. Examples given by the SEC include items such as disclosure about the impact of reduced revenues resulting from an attack and increased cybersecurity protection costs and expenditures, whether as a result of an attack or incurred as a preventative measure.
Description of Business
The SEC guidance reminds companies that under Item 101 of Regulation S-K, a company’s description of its business may need to include disclosure of a cybersecurity incident or incidents, if one or more such incidents materially affects the company’s relationships with customers or suppliers, services, products, or competitive conditions. When considering whether to include such disclosure, companies should also consider the effects on their reportable segments.
Item 103 of Regulation S-K, relating to the disclosure of certain legal proceedings, requires disclosure as to “any material pending legal proceedings, other than ordinary routine litigation incidental to the business.” If a material pending legal proceeding to which a company is a party involves a cybersecurity incident, the guidance reminds companies that they may need to provide disclosure in the company’s legal proceedings discussion.
Financial Statement Disclosures
The guidance reminds companies that cybersecurity risks and cybersecurity incidents may have a broad impact on a company’s financial statements, depending on the nature and severity of the potential or actual incident. The guidance lists as examples with potential accounting consequences the accounting for the capitalization of software costs related to cybersecurity, customer incentives given to mitigate the impact of a cybersecurity incident, and losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts. In addition, the guidance reminds companies that they must provide certain disclosures of losses that are at least reasonably possible. Cyber attacks may also result in diminished future cash flows, requiring consideration of impairment of certain assets, such as capitalized software or other long-lived assets associated with hardware or software, inventory, trademarks, patents, customer-related intangible assets, or goodwill. The SEC guidance also posits that if, after the date of a company’s balance sheet but before the issuance of financial statements, a cybersecurity incident occurs or is discovered, a company should consider whether disclosure of a recognized or non-recognized subsequent event is necessary.
Disclosure Controls and Procedures
Under Item 307 of Regulation S-K, companies must disclose conclusions on the effectiveness of disclosure controls and procedures. The SEC guidance reminds companies that if cybersecurity incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings with the SEC, the company’s management should consider whether there are any deficiencies in the disclosure controls and procedures that would cause them to be ineffective.
If a cybersecurity incident or the measures put in place in an effort to reduce the risk of a cybersecurity incident trigger any of the above items, or material information regarding cybersecurity incidents or risks would be required in order to make other required disclosures not misleading, companies should be prepared to add appropriate disclosure in their SEC filings. Even if a determination is reached that no disclosure is currently required, because the cybersecurity arena is a rapidly developing area, companies should continuously assess their potential disclosure obligations.
The above is a general summary of the SEC’s disclosure guidance pertaining to cybersecurity. For additional information, see our January 2011 advisory.