In light of the increasing rate of security breaches in industry and government, the US Securities and Exchange Commission (SEC) has issued guidelines encouraging public companies to disclose cyberattacks waged against them. The guidelines apply to both domestic US companies and foreign private issuers, and may therefore apply to Canadian companies registered in the US.
What types of disclosure are required?
A company is obligated to disclose material information relating to risks (e.g., a security system failure) and incidents (e.g., a security breach) if necessary to avoid misleading investors in light of other required disclosures.
When is disclosure required?
In determining whether such risk factor disclosure is required, all relevant information should be taken into account, including:
- prior cybersecurity incidents
- the frequency and severity of those past incidents
- the probability of cybersecurity incidents occurring in
- the future the likely frequency and severity of those future incidents
potential costs and consequences resulting from the
- misappropriation of assets or sensitive information,
- corruption of data, or
- disruption to company operations
- the adequacy of preventative cybersecurity measures currently in place
- threatened cybersecurity attacks of which the company is aware
What should the disclosure contain?
Risk factor disclosures should describe both the nature and potential effect of the material risks on the company. Only risks that are specific to the company should be described.
Consider including descriptions of the following when formulating the disclosure:
- those elements of the business or operations that are susceptible to cybersecurity risks (e.g., risk of intellectual property theft)
- the potential costs and consequences related to those risks
- outsourced functions that entail cybersecurity risks and how the company deals with those risks
- prior cybersecurity incidents and the costs and consequences that ensued (e.g., theft of intellectual property assets)
- the possibility of undetected cybersecurity breaches and ensuing risks
- insurance coverage against cybersecurity incidents
Where to make the disclosure?
The disclosure requirements generally extend to the following SEC filings: Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Description of Business, Legal Proceedings, and the company’s financial statement disclosures.
The guidelines were issued by the Corporation Finance division of the SEC and the scope of the obligations they create is limited. First, the guidelines themselves are not a binding instrument, though they refer to a number of pre-existing general disclosure obligations that can also apply in the case of a cybersecurity breach. Second, the SEC is wary of further compromising cybersecurity and does not require disclosures that would provide a “roadmap” to would-be network infiltrators.
Already in Canada
The mandatory disclosure of security breaches has already been seen north of the border. In May 2010, Alberta became the first Canadian province to legislate a data breach notification requirement in the private (non-health) sector. The province’s Personal Information Protection Act requires organizations to notify the provincial privacy commissioner where an individual’s personal information is lost or improperly accessed. The commissioner then has the discretion to order the company to notify those individuals that are at a real risk of significant harm resulting from the breach. The federal government has also introduced a bill which proposes to amend the federal private sector privacy statute to include a breach notification requirement.
SEC vs. Alberta – Not the same objectives
There is a noticeable difference between the SEC guidelines and Alberta disclosure requirements. The objectives behind the Alberta disclosure requirements are to allow people to take precautions against further harm and to encourage businesses to adopt increased security measures. Consequently, notification need only extend to those individuals at risk of significant harm resulting from the breach. In contrast, the SEC guidelines are aimed at allowing the market to evaluate a company based, in part, on risks to information security. Hence, the disclosure is to the public at large.
Cybersecurity affects both small and large businesses
While larger companies are likely to have greater resources to devote to information security, recent cybersecurity incidents have taught us that on-hand resources do not necessarily prevent a security intrusion from inflicting severe damage. The information security breach that crippled Sony’s Playstation Network in early 2011 will reportedly cost the company $171m (excluding any resulting lawsuits). Moreover, the incident was a PR disaster for Sony after the sensitive data of over 100 million customers was exposed. There is little doubt that small, mid-sized, and large businesses can all benefit from adopting reasonable information security policies and systems.
If you represent a publicly traded corporation, consider the following courses of action:
- Get ahead of the curve. Be ready with a data breach policy in place should a security breach occur. Ensure adequate consideration is given to the various types of disclosure that may be required by law.
- Instil confidence in investors. Having adequate security measures and policies in place provides a sign to investors that you take cybersecurity seriously.
For further information, please consult the SEC Guidelines: “CF Disclosure Guidance: Topic No. 2” (issued on October 13, 2011).