On October 13, 2011, the SEC's Division of Corporation Finance released "CF Disclosure Guidance: Topic No. 2 – Cybersecurity." This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. The guidance indicates that, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

According to the guidance, the following are the specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents:

  • risk factors
  • MD&A
  • description of business
  • legal proceedings
  • financial statement disclosures
  • disclosure controls and procedures