On October 13, 2011, the Division of Corporate Finance of the U.S. Securities and Exchange Commission (SEC) issued guidance on disclosure obligations relating to cybersecurity risks and incidents. Although the publication asserts that it is not a rule, a regulation or even a statement of the SEC, it outlines various impacts and risks resulting from cybersecurity matters that should be regularly evaluated and that may give rise to SEC disclosure requirements. These do not include merely specific incidents of data breach, but also the probability of cyber-incidents occurring, as well as the quantitative and qualitative magnitude of those risks. These include potential costs or other consequences resulting from a data breach or disruption, or efforts to curtail or insure against same. The guidance also identifies specific code provisions that are instructive when evaluating how and when to report specific costs and losses that may be associated with cybersecurity matters. It also makes clear that the SEC disclosure requirements should not be read so broadly as to require that a registrant reveal information that would itself compromise that registrant's cybersecurity.
The guidance cautions against simply disclosing a "generic" risk that may result from the registrant's use of digital technologies to conduct its operations. Accordingly, as with other operational and financial risks, a registrant should be mindful of cybersecurity risks in the context of its specific business and industry and should be proactive in evaluating (and potentially disclosing) how its use of, experience with and dependence upon digital technologies impact its SEC disclosures - this includes statements that may appear in its "MD&A" ("Management's Discussion and Analysis of Financial Condition and Results of Operation"), "Description of Business," "Legal Proceedings" and "Financial Statement" disclosures.
Click here for a PDF of the CF Disclosure Guidance.