On October 13, 2011, the Division of Corporation Finance (the “Division”) of the Securities and Exchange Commission (SEC) issued informal guidance regarding the disclosure by public companies of cybersecurity risks and cyber incidents.1
While the use of computer networks has increased the efficiency of business operations, it also exposes companies to cyber attacks that may result in the theft of company assets or sensitive information about the company, its customers and other business partners. Cyber attacks may cause a company to not only incur substantial costs (e.g., remediation costs, litigation costs and costs to increase security) but also to suffer loss of revenue and reputational damage. In issuing its guidance, the Division recognized that with the “increasing dependence on digital technologies,” there has been an increased focus on “how [cybersecurity] risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws.”
For example, in April 2011, Epsilon, a marketing services firm that manages e-mail lists for major retailers and banks, reported an unauthorized entry into its email system which compromised a subset of customer email addresses and names. News outlets reported that the list of companies affected included a wide variety of S&P companies. Although the Epsilon incident occurred prior to the issuance of the Division’s new guidance, Epsilon’s parent company, Alliance Data Systems Corporation (“Alliance”), reported information regarding the cyber incident in several Form 8-K filings with the SEC.2 Furthermore, Alliance received a comment letter from the SEC requesting disclosure of the Epsilon incident,3 and Alliance included such disclosure in its Form 10-Q for the quarter ended March 31, 2011.4
While the Division acknowledges that the SEC’s existing disclosure requirements do not explicitly refer to cybersecurity risks and cyber incidents, the Division’s guidance includes a reminder that one of the purposes of the federal securities laws is to “elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” The Division’s guidance highlights the following areas in disclosure documents that may require a discussion of cybersecurity risks and cyber incidents:
- In Risk Factors, if the risk of cyber incidents is among the most significant factors that make an investment in the company speculative or risky. In making this determination, the guidance suggests that the following factors may need to be considered: prior cyber incidents and the severity and frequency of those incidents; the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks; potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which the company operates and risks to the security of the company’s assets and sensitive information. If risk factor disclosure is required, the guidance advises that generic and boilerplate language should be avoided. Rather, the risk factor disclosure should be tailored to the company, taking into account its specific facts and circumstances, to address the nature of the risk and its impact on the company.
- In Management’s Discussion and Analysis of Financial Condition and Results of Operations, if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
- In the Description of Business, if one or more cyber incidents materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions.
- In Legal Proceedings, if a material pending legal proceeding to which a company or any of its subsidiaries is a party involves a cyber incident.
In Financial Statements, if cyber incidents affect line items or require special accounting treatment such as in the following instances:
- Before a cyber incident occurs, a company may incur substantial costs to prevent cyber incidents, and to the extent such costs are related to internal use software, the costs need to be capitalized in accordance with Accounting Standards Codification (ASC) 350-40, Internal-Use Software.
- During and after a cyber incident occurs, a company may need to recognize, measure and classify incentives provided to customers to mitigate damages resulting from a cyber incident; consider losses from claims related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts; and test for the impairment of certain assets such as goodwill, customer-related intangible assets and trademarks.
- In Disclosure Controls and Procedures, if cyber incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in its SEC filings and there are deficiencies in its disclosure controls and procedures that would render them ineffective.
At the end of the day, companies need to disclose any material information regarding cybersecurity risks and cyber incidents that is necessary in order to make other required disclosures not misleading, in light of the circumstances under which they are made. Cybersecurity risk has always been a potential financial disclosure issue, and something that directors and officers should be taking into account. The Division’s guidance, however, highlights the issue and brings it front and center. While materiality is still the key, and not every breach will need to be reported, the guidance does emphasize the importance of process and risk assessment that is specific to the company and its business. Companies will need to implement adequate security and controls to estimate the impact of cyber incidents well beyond “privacy-related” issues.
Steps to Be Taken Now
Companies should consider taking the following steps to assist them in complying with disclosure obligations with respect to cybersecurity risks and cyber incidents and the Division’s recent guidance:
- evaluate the company’s exposure to cybersecurity risks and cyber incidents, policies and procedures regarding such risks and incidents, including risk assessments, and the exposure of the company’s industry generally to cybersecurity risks and incidents;
- regularly review the adequacy of disclosures relating to cybersecurity risks and cyber incidents and update as necessary;
- when testing disclosure controls and procedures, consider the risk of information not being recorded properly due to a cyber incident affecting a company’s information systems;
- educate management (including reporting to directors) regarding the importance of recognition of cybersecurity risks and timely response to cyber incidents; and
- develop mechanisms to have updates regarding cybersecurity risks and cyber incidents promptly reported to the company’s disclosure team as part of an integrated incident response plan.