An increasing number of public companies – particularly banks and financial institutions – are disclosing cybersecurity incidents in their filings with the Securities and Exchange Commission. Companies are also replacing boilerplate cyber risk disclosures with more detailed disclosures of specific events or threats. This recent round of more fulsome disclosures, which arose primarily from widespread distributed denial of service attacks against major banks last fall, indicates that the SEC’s guidance regarding cybersecurity disclosures is gaining traction among public companies.
In 2011, the SEC’s Division of Corporation Finance (the “SEC”) issued guidance regarding the disclosure of cybersecurity risks by public companies. Although the guidance did not create new disclosure requirements, it did clarify how existing disclosure requirements apply in the context of cybersecurity. For example, the guidance explained that companies should consider cybersecurity matters when preparing their financial disclosures, disclosure of risk factors, and conclusions regarding the adequacy of their disclosure controls and procedures. Depending on the fallout from a cybersecurity incident, public companies may also be required to disclose resulting material litigation.
The SEC was careful to point out that federal securities laws do not require disclosures that would compromise a company’s cybersecurity, and the SEC acknowledged the concern that broad disclosure of a company’s vulnerabilities or the details of a recent breach could provide a roadmap for future attacks. However, the guidance made clear that these concerns do not allow public companies to avoid disclosure of cyber risks altogether.
In light of increasing cybersecurity disclosures – and the inquiry letters the SEC issued regarding the adequacy of certain companies’ disclosures in 2012 – companies should consider their compliance with the SEC’s guidance. Inadequate disclosures can lead to expensive and time consuming legal or administrative actions. Companies should carefully consider how to make adequate disclosures of cybersecurity risks and incidents without further imperiling their networks. Haynes and Boone regularly counsels clients on their cybersecurity disclosure obligations, including disclosures regarding sensitive cybersecurity incidents.
Read the Division of Corporation Finance’s cybersecurity disclosure guidance here.