The SEC recently issued new disclosure guidance about cyber security risks. In summary, the SEC is directing public companies to review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents. The disclosure guidance does not create new standards, but reminds public companies of existing disclosure requirements that may apply to cyber security risks and cyber incidents.
The bottom line is that this guidance should cause public companies, including their senior management and boards of directors, to give more attention to assessing cyber security as part of their enterprise risk assessments, because a discussion of cyber security risks and cyber incidents may become expected in public company financial disclosure. It should also prompt public companies to include these issues in their disclosure controls processes.
The SEC provides more specific guidance about disclosure in six areas of public company financial reports: Risk Factors, Management’s Discussion and Analysis (MD&A), Business Description, Legal Proceedings, Financial Statement Disclosure, and Disclosure Controls and Procedures.
On the latter point, public companies will need to assess and disclose conclusions about the impact of cyber security risks and cyber security incidents on the effectiveness of the organization's controls over financial disclosure, including whether there are any deficiencies that would render those controls ineffective. Additionally, public companies should supplement their disclosure controls checklists, so that their disclosure controls processes will include consideration of possible disclosure about cyber risks and cyber incidents.
Companies are not required to disclose any or all of the issues that are identified for consideration and discussion by their disclosure controls committees. In fact, the SEC recognizes that detailed disclosures of these issues could increase the cyber risks. The organization may have concerns about what personnel can be involved in IT security discussions or receive any report about those issues, based on individual security clearances, etc. The process might, therefore, require that those discussions occur in a smaller group.
The list of questions below is intended to (a) prompt a discussion in the disclosure committee of any meaningful changes in the company’s cyber risk profile and whether additional disclosure (or other action) is warranted, and (b) create a written record that management thoughtfully considered the principal data security and privacy risks facing the company in order to determine whether additional disclosure (or other action) is warranted.
- Any significant change to the nature or level of cyber security risks facing the company or affecting the company’s services to customers [such as any meaningful increase in actual or threatened penetration attempts, spear phishing or other advanced persistent threats (APT), or denial of service (DOS) attacks]
- Any significant cyber incident [such as malware embedded in any company system which may have exposed or compromised any of the company’s confidential or proprietary information, or the transmission or other exposure via the internet of unencrypted personal information of any customer, employee or other individual]
- Any significant cyber security risk deficiency that was identified in any review or audit of the company’s information security or data privacy practices
- Any significant change to the company’s expenses or capital costs of mitigating cyber security risks, such as an increase in cyber risk insurance premiums or services purchased to avoid system penetration
- Any significant change in the company’s ability to promptly respond to, and promptly resume operations after, a cyber incident or damage or loss of power to the company’s principal data center or any other systems important to maintaining operations.
This Blog was written by Jim Brashear