On October 13, 2011, the Staff of the Security and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance1 (the “Cybersecurity Guidance” or “Guidance”) regarding its views on disclosure obligations relating to cybersecurity risks and cyber incidents. The Staff took this action in response to various political pressures, including a letter dated May 11, 2011, from Senator Jay Rockefeller (D-WV) and four other senators to SEC Chairman Mary Schapiro.2
The Cybersecurity Guidance makes clear that the statements contained therein represent only the views of the Staff, and that “the Commission has neither approved nor disapproved its content.” Nonetheless, the Guidance provides important insight into the direction the SEC may be going in requiring registrants to disclose information about their cybersecurity practices.
The issuance of the Guidance is also likely to be used by the White House, Congress and other federal policy makers to promote the need for more extensive federal cybersecurity statutes and regulations that would impose affirmative obligations on businesses to better protect their cyber networks and make public disclosures (beyond SEC filings) about security breach incidents. On May 12, 2011, the Obama Administration released its cybersecurity legislative proposal,3 as required in the Cyberspace Policy Review4 and in response to a request from Senate Majority Leader Harry Reid (D-Nev.) and six other Senate committee chairs for draft cybersecurity legislation. Additionally, on October 5, 2011, the House Republican Cybersecurity Task Force issued a report with its recommendations on federal cybersecurity legislation pursuant to a request by the House Republican leadership.5 The Task Force’s report examined four critical areas: critical infrastructure and incentives, information sharing and public-private partnerships, existing cybersecurity laws and legal authorities. Given this political backdrop, the Guidance could be viewed as the first step in a broad federal government initiative to raise the standards of cybersecurity practices across the industry.
What Disclosures Does the Cybersecurity Guidance Recommend?
The Guidance presents the Staff’s advice on how registrants, including all public companies, should consider and disclose possible cybersecurity issues under existing SEC rules. The Guidance includes sections on how registrants should disclose cybersecurity issues in various sections of their public reports, including Risk Factors, Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Description of Business, Legal Proceedings and financial statement disclosures. While not a formal interpretation, the Guidance provides valuable insight into the sort of disclosure practices registrants should consider when evaluating their own cybersecurity (including risks and incidents).
In particular, the Guidance clarifies registrants’ responsibility to discuss cybersecurity and cyber incidents in the risk factors and MD&A sections of their public reports. In describing risk factor disclosure obligations related to cybersecurity, the Guidance notes that registrants should make disclosure if “these issues are among the most significant factors that make an investment in the company speculative or risky.” This type of analysis should include all relevant information, including current cybersecurity practices and past cyber incidents. Additionally, consistent with Regulation S-K Item 503(c), the risk disclosure should describe the nature of the material risk and how that risk might affect the registrant. Examples of appropriate disclosures might include:
- aspects of the registrant’s business that gave rise to material cybersecurity risks and the possible costs;
- descriptions of cyber incidents that are individually or in the aggregate material; and
- risks related to cyber incidents that could remain undetected for an extended period.
The Guidance also notes that discussion of cybersecurity issues may be required in MD&A if one or more known cyber incidents, or if the risks of any potential incident, are likely to materially affect the registrant’s results of operations, liquidity or financial condition. Disclosure may also be required if such an incident would cause reported financial information to be not necessarily indicative of future operating results or financial condition. For instance, disclosure would be required if material intellectual property were stolen during a cyber-attack and the effects of the theft were reasonably likely to be material.
Are These New Disclosure Requirements?
No, these are not new SEC disclosure requirements. However, from time to time, the SEC Staff will issue disclosure guidance in order to focus registrants’ attention on existing disclosure requirements that the Staff wants registrants to focus on. The SEC has issued similar guidance in the past on a variety of topics, including political risks in foreign operations, Y2K and the effects of climate change.6
In this instance, the Guidance clarifies what the Staff believes the current SEC rules require with respect to cybersecurity and cyber incidents. For instance, the Guidance points out that while no existing disclosure requirements refer specifically to cybersecurity risks and cyber incidents, a number of current disclosure requirements may include an obligation to disclose such risks and incidents. As with any type of information, registrants are required to disclose material information about cybersecurity risks and incidents when necessary to make other required disclosures not misleading.
What Should Companies Do Now?
In general, registrants should bear in mind that cybersecurity practices and cyber incidents should be disclosed in their public reports if those practices and incidents are material. In particular, registrants may want to:
- review, and possibly revise disclosure controls and procedures in order to capture cybersecurity-related issues;
- educate members of the disclosure committee or other members of management responsible for disclosure about cybersecurity issues;
- undertake a specific review of any existing internal assessments of the possible impact of cybersecurity practices and cyber incidents on the company’s operations or prospects;
- revisit existing disclosures regarding the company’s business, including MD&A and risk factors, to determine whether additional or revised disclosures are necessary; and
- assess the risk and consider whether to engage policy makers regarding additional cybersecurity legislative and regulatory proposals currently being considered in Washington that may also impact a registrant’s cybersecurity practices.