The Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks. This release is from the Commission’s Division of Corporation Finance and is not a rule or regulation — but it is clear that public companies that ignore the advice in the Disclosure Guidance and fail to assess and disclose material cybersecurity risks could face regulatory and legal action.
A full discussion of the Disclosure Guidance has been prepared in a Mintz Levin Client Advisory and is here.
A key point from an information management perspective is that the plain language of the Guidance can only be interpreted as calling for particular and specific (non-generic) disclosure if the risk of cyber attack or data breach is reasonably likely to be material to a public company. The Guidance discusses not only what is thought of in terms of privacy and data breaches, but also cyber attacks that could result in the theft of material intellectual property. The SEC staff gave as an example:
"if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition."
A company can only make accurate disclosure of risks if a risk assessment is undertaken to determine if, and what, disclosure is required. Directors and officers outside the traditional information technology/security management circle will need to pay greater attention to these potential disclosure issues.
The Guidance may impact the traditional breach notification process as well. Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financial statements and whether other SEC filings (such as a Form 8-K) should be made in connection with a data breach.