Citing the “grave threats posed to investors, our capital markets, and our country” by cybersecurity risks, the Securities and Exchange Commission issued interpretive guidance to public companies to reinforce and expand on 2011 guidance by the SEC’s Division of Corporation Finance.
The SEC noted the following potential costs to a company affected by a cybersecurity attack or incident and explained how existing disclosure requirements may apply to each, even though the rules do not expressly address cybersecurity:
- Remediation costs, for example, from liability for stolen information or damage to IT systems.
- Increased costs of cybersecurity protection.
- Lost revenue, for example, from unauthorized use of proprietary information or loss of customers.
- Litigation and legal risks.
- Increased insurance premiums.
- Reputational damage.
- Damage to competitiveness.
According to the SEC, disclosure of material cybersecurity risks may be required pursuant to particular registration statement items or provisions of Exchange Act forms and regulations, such as:
Form or Rule
Provision Requiring Cybersecurity Risk Disclosure
Item 1, Business; Item 1A, Risk Factors; Item 3, Legal Proceedings; Item 7, Management’s Discussion and Analysis (MD&A); Item 8, Financial Statements; Item 9A, Controls and Procedures; Item 10, Directors, Executive Officers and Corporate Governance
Part I: Item 1, Financial Statements; Item 2, MD&A; Part II: Item 1A, Risk Factors (also, not cited in the release, Part I, Item 4, Controls and Procedures; Part II, Item 1, Legal Proceedings)
Item 7, Directors and Officers
Item 3.D, Risk Factors; Item 4.B, Business Overview; Item 5, Operating and Financial Review and Prospects
Controls and Procedures
In addition to specific disclosure requirements, the SEC noted that a company is obligated to disclose “such further material information … as may be necessary to make the required statements … not misleading”; so a company should review its disclosure to determine whether including a particular cybersecurity risk or incident would be regarded by a reasonable investor as significantly altering the total mix of information available about the company.
As it has in numerous similar cases, the SEC cites, as authority for requiring cybersecurity risks disclosure, the MD&A requirement to disclose,
events, trends, or uncertainties that are reasonably likely to have a material effect on [a company’s] results of operations, liquidity, or capital condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition …
In the release, the SEC interprets requirements to establish, maintain and make disclosure regarding disclosure controls and procedures as encompassing cybersecurity risks, as does management’s evaluation of the effectiveness of such controls. Likewise, cybersecurity risks are an element of a board of directors’ risk management responsibilities, which must be described in a company’s annual proxy statement. A public company must also establish and maintain policies against insider trading before material information regarding a cyberattack is made public and procedures to enable compliance with the policies, including, potentially, the imposition of an insider trading “blackout” period. Finally, the SEC addressed the selective disclosure issues created by cybersecurity risks and incidents and reminded public companies to make any required Regulation FD public disclosure.