On October 13 the Securities and Exchange Commission (SEC) Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2 - Cybersecurity (the "Guidance"), which is intended to provide guidance to companies on whether and how to disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.
This represents a reminder that companies should think about cybersecurity and data breach incidents when deciding how to fulfill their obligations under the SEC's existing disclosure requirements. Up to this point, the market's focus has been on how US law requires disclosure of data breaches affecting personal information of specific types. Other security incidents only became public knowledge because of unofficial disclosures or because of their effect (e.g., a denial of service attack). Now, the SEC has made it clear that the risks associated with cyber incidents, the costs of mitigating those risks, and the consequences of a cyber incident may rise to the level of materiality that would require disclosure to investors and regulatory authorities.
Although the Guidance is not, in itself, a rule or regulation, companies who ignore such guidance may do so at their peril.
From the Guidance:
"The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents." [Emphasis added]
Evaluation of a company's own cybersecurity profile is hard enough, but it's made even more difficult in a world where a significant portion of a company's services are outsourced and cloud-based.
In Parts One and Two of this article we'll look at the Guidance and how it applies to companies in general. In Parts Three and Four we'll look at ways to evaluate and document the security of your cloud-based service providers.
Although the SEC's language focuses on cyber attacks, many of those same consequences would apply to an accidental incident. Given the potential adverse consequences of a cyber incident, the Guidance states, "as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents."
The remainder of the Guidance focuses on how companies should disclose and discuss cyber incidents in the context of various reporting obligations.
To determine whether your company is required to disclose a particular cyber-related risk factor in accordance with the Regulation S-K Item 503(c) requirements, the SEC has said that companies should evaluate their cybersecurity risks and take into account all available relevant information, including:
- prior cyber incidents and the severity and frequency of those incidents;
- the probability of cyber incidents occurring;
- threatened attacks of which they are aware, which could include things like the hacker group Anonymous' potential threats to attack Facebook;
- the quantitative and qualitative magnitude of those risks, including potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption;
- the adequacy of preventative actions taken to reduce cyber-related risks in the context of the industry in which they operate and risks to that security.
Tying these to the industry in which a company operates might also mean that a company needs to consider the recent US Department of Homeland Security report that raises the possibility that members of Anonymous are actively looking for ways to attack critical infrastructure. At the same time, however, the Guidance states that risk disclosure must adequately describe the nature of the material risks and how each risk affects the company. According to the SEC, companies should not present risks that could apply to any company and should avoid generic risk factor disclosure. Depending on your particular facts and circumstances, and to the extent material, appropriate disclosures may include:
- Discussion of aspects of your business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- If your company outsources functions that have material cybersecurity risks, description of those functions and how you address those risks, which, for cloud-based services will be discussed in Parts Three and Four;
- Description of cyber incidents your company has experienced that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
According to the SEC, a company might have to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in appropriate context. The SEC provides the following example, "if a [company] experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences." In this context, if predictions from this Information Week article regarding the malware discovered in 2010 on the NASDAQ Director's Desk platform are correct, it will be interesting to see how companies might disclose the risks associated with that cyber attack.
In Part Two we'll look at the rest of the Guidance and its specific recommendations for handling disclosure of cyber-related risks and incidents under that various reporting regulations.