Businesses’ increasing use of digital technology and electronic communication and access to conduct operations raises the risk of “cybersecurity” incidents. Public companies must consider the impact of these security risks on their operations and comply with relevant disclosure obligations under federal securities laws. On October 13, 2011, the SEC’s Division of Corporation Finance released “CF Disclosure Guidance: Topic No. 2” (the “Disclosure Guidance”) to assist registrants with cybersecurity disclosure requirements. The Disclosure Guidance is not an SEC rule, regulation, or statement, but rather an attempt to put cybersecurity risks and cyber incidents in context in light of a registrant’s overall disclosure obligations.
“Cybersecurity” is defined in the Disclosure Guidance as “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” A “cyber incident” can result from deliberate attacks (e.g., hacking into digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption) or unintentional events that cause the denial of service for customers and others. While there is no existing disclosure requirements that specifically address cybersecurity or cyber incidents, the Disclosure Guidance highlights the disclosure requirements registrants should consider when assessing the adequacy of its disclosure generally.
The guidance addresses disclosure considerations applicable to both cybersecurity risks and cyber incidents under the following disclosure obligations:
- Risk Factors. Risk-factor disclosures under Regulation S-K Item 503(c) are required if cyber incidents are among the most significant factors that make an investment in the registrant speculative or risky. Registrants should consider the severity and frequency of any prior cyber incidents and the probability of future cyber incidents, including any known or threatened cyber incidents. Registrants should take into account the adequacy of any preventative measures taken to reduce cybersecurity risks. As with any risk factor disclosure, the staff cautions against (i) presenting risk factors that could apply to any registrant or any offering and (ii) including risk factors with “boilerplate” disclosure.
- MD&A. Under Regulation S-K Item 303, registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other impacts of known cyber incidents, or the risk of potential incidents, represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s operations, liquidity, or financial condition, or would cause reported financial information to be non-indicative of future operating results. Even if a prior cyber incident did not have a material effect on the registrant’s financial condition, disclosure of that incident may be required if the incident caused the registrant to materially increase its cybersecurity expenditures.
- Description of Business. Registrants should provide disclosure in the “Description of Business” section of its reports and prospectuses if a cyber incident materially affects a registrant’s products, services, relationships with customers or suppliers, or competitive conditions.
- Legal Proceedings. Registrants should consider if any legal proceeding involving a cyber incident is material to the registrant such that disclosure is required consistent with the disclosure it would make for other material legal proceedings.
Financial Statements. Prior to, during, and after a cyber incident, a registrant should make decisions regarding a number of issues related to its financial statements. For example:
- Certain Accounting Standards Codifications, like 350-40 (Internal-Use Software), 605-50 (Customer Payments and Incentives), and 450-20 (Loss Contingencies), address accounting matters which may arise in connection with cyber incidents;
- Cyber incidents may result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware, software, and inventory; and
- To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, disclosure of such subsequent event may be necessary.
- Disclosure Controls and Procedures. Registrants should evaluate the extent to which cyber incidents pose a risk to their ability to record, process, summarize, and report information that is required to be disclosed in SEC filings.
- Form 8-K. The Disclosure Guidance reminds registrants that they may need to disclose the costs and other consequences of material cyber incidents in a Form 8-K if necessary to maintain the accuracy and completeness of information in the context of securities offerings. Although not addressed in the Disclosure Guidance, in other contexts it may be appropriate to address material cyber incidents in a Form 8-K if, for example, they lead to material impairments, or if it is necessary to provide FD-compliant disclosures when voluntarily providing information regarding actual or attempted cyber incidents.
In light of the Disclosure Guidance, registrants should review their existing disclosure controls and procedures relating to cybersecurity risks and cyber incidents and determine what, if any, disclosures relating to such matters should be included in their SEC filings. The Disclosure Guidance cautions that registrants should reassess, on an ongoing basis, such disclosure controls and procedures and any disclosures made in SEC filings.
The Disclosure Guidance is not a new disclosure requirement and registrants should not view it as increasing existing disclosure obligations. Specifically, the staff speculates that registrants may hesitate to include detailed disclosures that could compromise cybersecurity efforts by providing a “roadmap” for potential hackers, and the Disclosure Guidance expressly states that in such an event disclosure would not be required. Accordingly, determining where to draw the line on accurate disclosure that is responsive to the federal securities rules but does not disclose confidential or proprietary information will require close examination by public companies and their advisors. The guidance is meant to answer basic questions regarding the application of the federal disclosure requirements to a “hot topic” in the public domain, and serve as a reminder that existing disclosure obligations extend to cybersecurity issues. Registrants should use the Disclosure Guidance to re-evaluate their current disclosure regarding cybersecurity matters to determine if any changes are necessary.
The complete text of the Disclosure Guidance can be found here.