In the wake of a number of high-profile cybersecurity incidents, the SEC’s Division of Corporation Finance recently released disclosure guidance on the topic of cybersecurity. While the guidance creates no new legal obligations, it is intended to provide clarity regarding the forms of disclosure that registrants may have to make. In the release, the Division of Corporation Finance recognized that while no current disclosure requirements explicitly refer to cybersecurity, there are a number of existing disclosure obligations that may require registrants to disclose cybersecurity risks or incidents.
Such cyber incidents may be deliberate or unintentional, and include gaining unauthorized access to digital systems for the purpose of misappropriating assets or sensitive information, causing operational disruption or corrupting data. Meanwhile, the concept of a cyber attack also includes actions that don’t require unauthorized access to a computer system, such as denial-of-service attacks on websites. Cyber attacks may be carried out by insiders or third parties, and may use sophisticated technology to circumvent network security, or more traditional techniques like guessing or stealing a password to gain access to a computer network.
Ultimately, the guidance considers six areas in which disclosure of cybersecurity risks or incidents may be required under current regulations:
- Risk Factors: The guidance provides that registrants “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” In making this determination, registrants should look at the severity and frequency of past cyber incidents, and should consider the probability and potential costs and other consequences of future incidents. Registrants should also consider the adequacy of any protective measures which are in place. The guidance also states that in order to place the discussion of cybersecurity risks in context, registrants may need to disclose known cyber attacks or threats, instead of simply stating that these events may occur. The guidance notes, however, that there is no requirement to disclose information that would compromise a registrant’s cybersecurity.
- Management’s Discussion and Analysis (MD&A): Where the consequences of a known cyber incident (or the risk of a potential incident) represent a material event, trend or uncertainty that is likely to have a material effect on the registrant’s financial condition or other elements of the registrant’s reported financial results, this should be discussed in the registrant’s MD&A.
- Description of Business: The guidance provides that registrants should disclose any cyber incidents which materially affect the registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” in the registrant’s Description of Business.
- Legal Proceedings: If a registrant is party to a material pending legal proceeding that involves a cyber incident, this may need to be disclosed in the registrant’s Legal Proceedings disclosure.
- Financial Statement Disclosures: The guidance outlines several ways in which cyber incidents may impact financial statement disclosures. Registrants will need to ensure that prevention costs, contingent losses, and customer incentives provided in the wake of an incident are properly recognized. A cyber incident may also result in diminished future cash flows and an accompanying impairment of assets such as goodwill, trademarks, or patents. Further, the reassessment of assumptions underlying the estimates made in preparing financial statements may be required, and registrants must explain the risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to financial statements.
- Disclosure Controls and Procedures: Finally, where cyber incidents pose a risk to a registrant’s ability to record, process or report information required in SEC filings, a registrant may consider whether this risk renders the registrant’s disclosure controls and procedures ineffective. As an example, the guidance highlights the situation where “if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls are ineffective.”
Ultimately, the guidance underscores the important role that cybersecurity plays in business and the potential impact should cybersecurity be compromised. Given the number of ways in which cybersecurity threats or incidents may materially impact a business, registrants must carefully consider whether they are obligated to disclose such incidents through one or more of the six categories above.