In response to various political pressures, including a letter dated May 11, 2011, from Senator Jay Rockefeller (D-WV) and four other senators to SEC Chairman Mary Schapiro, the Staff of the Security and Exchange Commission’s (SEC) Division of Corporation Finance issued guidance on October 13, 2011 regarding its views on disclosure obligations relating to cybersecurity risks and cyber incidents.
While not a formal interpretation, the guidance provides valuable insight into the sort of disclosure practices registrants should consider when evaluating their own cybersecurity (including risks and incidents). In particular, the Guidance clarifies registrants’ responsibility to discuss cybersecurity and cyber incidents in the risk factors and MD&A sections of their public reports. In describing risk factor disclosure obligations related to cybersecurity, the guidance notes that registrants should make disclosure if “these issues are among the most significant factors that make an investment in the company speculative or risky.” The Guidance also notes that discussion of cybersecurity issues may be required in MD&A if one or more known cyber incidents, or if the risks of any potential incident, are likely to materially affect the registrant’s results of operations, liquidity or financial condition. Disclosure may also be required if such an incident would cause reported financial information to be not necessarily indicative of future operating results or financial condition.