On October 13, the Securities and Exchange Commission's Division of Corporation Finance issued written guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents (i.e., actual incidents of data breaches or other cyber attacks). The guidance is not a rule or regulation and does not impose new disclosure requirements. Rather, the guidance represents the views of the Division of Corporation Finance regarding how existing disclosure requirements apply to cybersecurity risks and cyber incidents.
As businesses increasingly depend on computers and digital technologies to conduct their operations, the risks associated with cybersecurity have also increased. Cybersecurity risks include attacks to gain unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruptions. Companies that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include remediation costs (which in turn may include liability for stolen information and costs of incentives offered to customers to maintain the business relationship after the attack), increased cybersecurity protection costs, lost revenue, litigation expenses, and reputational damage.
Although no existing disclosure requirement explicitly refers to cybersecurity risk and cyber incidents, a number of disclosure requirements may impose an obligation to disclose such risks and incidents. The SEC highlighted the following disclosure obligations:
Companies should disclose the risk of cyber incidents if these issues are among the most significant risk factors that make an investment in the company speculative or risky. In evaluating whether risk factor disclosure should be provided, the company should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.
If risk factor disclosure is warranted, the disclosure must adequately describe the nature of the material risks and specify how each risks affects the company. To the extent applicable, appropriate disclosure may include: discussion of aspects of the company's business or operations that give rise to material cybersecurity risks and the potential costs and consequences; to the extent that the company outsources functions that have material cybersecurity risks, description of those functions and how those risks are addressed; description of material cyber incidents, including the costs and consequences; and risks relating to cyber incidents that may remain undetected for an extended period. The SEC emphasized that while companies should provide disclosure tailored to their particular circumstances and avoid boilerplate disclosure, the federal securities laws do not require disclosure that itself would compromise a company's cybersecurity.
Other Disclosure Requirements
Other disclosure requirements that may impose an obligation to disclose cybersecurity risks and cyber incidents include the following, which, in each case, should reflect a materiality analysis that applies a probability/magnitude assessment similar to that discussed above regarding possible risk factor disclosure:
Companies should address cybersecurity risks and cyber incidents in the Management's Discussion and Analysis of Financial Condition and Results of Operations portions of their quarterly and annual reports if the costs or other consequences associated with known incidents or potential incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the company's results of operations, liquidity or financial condition.
- Description of Business
If one or more cyber incidents materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, the company should provide disclosure in the company's "Description of Business" disclosure.
- Legal Proceedings
If a material legal proceeding involves a cyber incident, the company may need to disclose information regarding this litigation in its "Legal Proceedings" disclosure.
- Disclosure Controls and Procedures
Companies are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.