The SEC’s Division of Corporate Finance released guidance this past year regarding the obligation of a publicly traded company or issuer to disclose cybersecurity risks and cyber incidents. According to the SEC, cybersecurity refers to “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” In light of the significant cyber-attacks occurring with greater frequency, and evidence that companies of all sizes are readily susceptible to such attacks, the SEC has emphasized that ensuring the adequacy of a company’s cybersecurity measures is a critical part of a board of directors’ risk oversight responsibilities.
The SEC staff has identified cybersecurity as an important matter and includes cybersecurity as an area upon which it issues comments when reviewing a company’s periodic or current reports. To assist registrants in this regard, the SEC staff issued guidance that outlines disclosure considerations and recommends release of information to the market under certain circumstances. According to CF Disclosure Guidance: Topic No. 2, entitled “Cybersecurity,” public companies must disclose cybersecurity risks and cyber incidents to the extent relevant. This new guidance on issuers’ disclosure obligations related to cybersecurity threats and incidents introduces additional issues for management to consider and presents new potential risks for management.
As with other operational and financial risks, issuers must review the adequacy of their disclosures related to cybersecurity risks and incidents. This Cybersecurity guidance is similar to the SEC staff interpretive guidance concerning disclosure of climate change matters in so far as it does not create new disclosure standards, but instead emphasizes what the staff wants issuers to consider.
Registrants have a general duty to disclose material information regarding cybersecurity risks and cyber incidents when necessary “in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” The guidance sets forth specific disclosure considerations and obligations.
Item 503(c) of Regulation S-K and Item 1A of Form 10-K require each registrant to disclose the most significant factors that make an investment in the registrant speculative or risky. A registrant should tailor its cybersecurity risk factor to the registrant’s individual facts and circumstances, including disclosing known or threatened cybersecurity threats and specific past incidents. The SEC staff has suggested that appropriate disclosure might include:
- Discussion of the aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks;
- To the extent the registrant outsources functions that have material cybersecurity risks, a description of those functions and how the registrant addresses those risks;
- A description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- A description of relevant insurance coverage.
Consistent with disclosure requirements for risk factors generally, cybersecurity risk disclosure must adequately describe the material risks and how each risk affects the issuer, avoiding generic disclosures and mitigating factors.
Management’s Discussion and Analysis
An issuer should disclose in its Management’s Discussion and Analysis (“MD&A”) discussion cybersecurity risks or incidents “represent[ing] a material event, trend or uncertainty that is reasonably likely to have a material effect on the issuer’s results of operations, liquidity or financial condition.” As an example, if material intellectual property is stolen in a cyber-attack, the nature and effects of that theft, if material, should be described and the impact on operations should be assessed. Even if a prior cyber incident did not have a material effect on the issuer’s financial condition, disclosure of that incident may be required if the incident caused the issuer to materially increase its cybersecurity expenditures.
Description of Business
Issuers should provide disclosure in the “Description of Business” section of its reports and prospectuses pursuant to Item 101 of Regulation S-K, if a cyber-incident materially affects a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, both for the issuer as a whole and for each of its reportable business segments. For example, if a cyber-incident could materially impair the future viability of an issuer’s new service or product, the issuer should discuss the incident and its potential impact.
If a pending legal proceeding to which an issuer is a party involves a cyber-incident, such as stolen customer information, details of such litigation may need to be disclosed in its “Legal Proceedings” disclosure pursuant to Item 103 of regulation S-K to the extent material. Such disclosure should include a description of the factual basis underlying the claim and the relief sought.
Financial Statement Disclosure
Prior to, during, and after a cyber-incident, an issuer should make decisions regarding a number of issues related to its financial statements. Cyber incidents may result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware, software and inventory. Cybersecurity risks and cyber incidents may have a further material impact on the financial statements, including the costs of developing or maintaining cybersecurity software, incentives for customers harmed by any cyber incident to maintain their business relationship with the issuer and losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses. To the extent a cyber-incident is discovered after the balance sheet date but before the issuance of financial statements, disclosure of such subsequent event may be necessary.
Disclosure Controls and Procedures
Finally, the SEC staff ’s guidance encourages management to consider whether there are any deficiencies in an issuer’s disclosure controls and procedures that would render them ineffective as a result of a cyber-incident. Issuers should evaluate the extent to which cyber incidents pose a risk to their ability to record, process, summarize, and report information that is required to be disclosed in SEC filings. For example, if there is a material risk that a hacker could hinder a registrant’s ability to record, process, summarize and report information that is required to be disclosed in filings with the SEC, such controls may be considered ineffective and management would be required to disclose that fact to the public.
Given the negative impacts and costs of cybersecurity attacks and events, such as remediation costs, costs of increasing cybersecurity, lost revenues, litigation and reputational damage, issuers should reassess their cybersecurity prevention, incident identification and remediation efforts, and current disclosures.
The disclosure guidance cautions that issuers should reassess, on an ongoing basis, its disclosure controls and procedures and any disclosures made in SEC filings. Inherent in this guidance is the possibility that, if a material event were to occur, and if risk of such an event were foreseen and identified, failure to make appropriate prior cybersecurity disclosures could lead to enforcement review and action by the SEC’s Division of Enforcement and could be used by investors to argue for securities violations by the registrant under the anti-fraud rules.