The SEC issued guidance reminding com - panies to review their disclosure and adequately address risks in documents fi led with the SEC relating to cybersecurity.7 The SEC noted that cyber attacks could cause a company to incur substantial costs and cause negative consequences to the com pany, which may include, but are not limited to:
- Remediation costs;
- Increased cybersecurity protection costs;
- Lost revenues;
- Litigation; and
- Reputational damage.
Disclosures that a company may need to make, which the SEC notes in the guidance, include, but are not limited to, the following:
- Discussion of the company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the company outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experi enced by the company that are individ ually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Although, the cybersecurity guidance doesn’t create new disclosure standards, a company should consider its risks relating to cybersecurity and review and revise disclosure, as necessary, in the documents it fi les with the SEC, including disclosure contained in the following sections: business, risk factors, MD&A, fi nancial statement notes, disclosure controls and procedures.