The Division of Corporation Finance of the Securities and Exchange Commission (SEC) recently issued guidance on disclosure issues relating to cybersecurity risks and cyber incidents.1 The issuance follows a request made by a group of Senators that the SEC address disclosure requirements pertaining to information security risk.2 While the guidance does not on its face impose any new rules or regulations on SEC registrants, it provides valuable insight into the Staff’s views on how existing disclosure standards should apply to these matters. In the past, similar types of guidance on other topics have resulted in many companies receiving comments when they do not include sufficient disclosure on the topic.
Cybersecurity risk and cyber incidents are not explicitly addressed in any existing disclosure requirements. The guidance is therefore focused on explaining how certain of the standard disclosure requirements that are applicable to a range of SEC disclosure documents (such as registration statements and periodic reports) may nevertheless impose an obligation to provide disclosure about cybersecurity-related matters. In addition to being helpful with respect to cybersecurity disclosure, the Staff’s discussion of the application of general disclosure requirements to this specific category of risks and incidents serves as a useful example of the Staff’s reasoning and analysis regarding disclosure issues in general. The guidance may therefore also prove helpful to companies in assessing their disclosure obligations relating to business risks and incidents in areas unrelated to cybersecurity.
As businesses of all kinds are becoming increasingly dependent on information technology and the Internet – utilizing computer systems, email, websites, social media, data storage, etc. – this guidance should apply to a wide range of companies. As noted in the guidance, cyber incidents may result in substantial costs and other negative consequences. Among other things, an issuer may incur remediation costs that could include repairs and liability for stolen assets or information, as well as incentives offered to customers and other business partners affected by the incident with a view to maintaining those business relationships. Other examples include increased costs to prevent future incidents, lost revenues due to unauthorized use of proprietary information, litigation costs, and reputational damage adversely affecting customer and investor confidence. When assessing the materiality of past cyber incidents and the risk of cyber incidents occurring in the future, the company needs to take all such potential costs and consequences into consideration when preparing its disclosure.
While the Staff expects timely, comprehensive and accurate disclosure about cybersecurity-related issues, it expressly recognizes the legitimate concern that detailed information could compromise the company’s cybersecurity efforts by effectively providing a “roadmap” for potential cyber attackers. The Staff therefore emphasizes in the guidance that disclosure of this nature is not required.
The following are the disclosure requirements that are individually addressed in the guidance. In addition to analyzing these specific items, the Staff also reminds registrants of their general obligation to disclose any material information when such disclosure is necessary to ensure that other disclosures are not misleading.
Risk Factors If a company concludes that cybersecurity issues are among the most significant factors that make an investment in its securities speculative or risky, it should include cybersecurity risk disclosure that adequately describes the nature of the risks and specifies how each risk affects the company. In determining whether disclosure is required, the company should take into account all available relevant information, including the existence of known or threatened cyber incidents (potentially including details of specific prior incidents), the probability of future incidents and the quantitative and qualitative magnitude of the risks, including the potential costs and other direct and indirect consequences of an incident. The company should also consider the adequacy of preventive actions taken to reduce cybersecurity risks. As with any risk factors, the Staff emphasizes that the company should avoid generic boilerplate disclosure and should instead tailor the risk factor to the company’s particular circumstances.
MD&A If the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on a company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition, the company should address cybersecurity risks and cyber incidents in its Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A). As examples of incidents that may need to be addressed in the MD&A (along with the effects and consequences of those incidents), the Staff mentions a cyber attack involving the theft of material intellectual property and a cyber incident that prompts the company to materially increase its cybersecurity protection expenditures. This would need to be reviewed on a quarter-by-quarter basis.
Business Description To the extent one or more cyber incidents materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company should provide appropriate disclosure in its business description. The company should consider the impact on each of its reportable segments when making this determination.
Legal Proceedings If a material pending legal proceeding to which a company or any of its subsidiaries is a party involves a cyber incident, the company may be required to disclose information regarding this litigation as part of its legal proceedings disclosure.
Financial Statement Disclosures Cybersecurity risks and cyber incidents may have a broad impact on a company’s financial statements. The guidance lists the following examples of ways in which such risks and incidents may have accounting consequences:
- the capitalization of prevention costs related to internal-use software;
- the recognition, measurement and classification of customer incentives provided to mitigate damages from a cyber incident;
- the accounting for losses from asserted and unasserted claims resulting from a cyber incident; and
- the impairment of certain assets due to diminished future cash flows as a result of a cyber incident.
Moreover, if a cyber incident is discovered between the balance sheet date and the date of the issuance of the financial statements, the company may need to consider whether it is necessary to include disclosure of a subsequent event.
Disclosure Controls and Procedures To the extent cyber incidents jeopardize a company’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, the company’s management should consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. As an example, the guidance notes that a company may conclude that its disclosure controls and procedures are ineffective if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting the company’s information systems.
The new guidance is a reminder that companies should evaluate all aspects of the cybersecurity exposure of its business and of any individual reportable segment. The evaluation needs to include both prior cyber incidents and the risk of future incidents, considering all circumstances such as the general risks in the company’s industry, known risks specific to the individual company and preventive measures that have been or could be employed by the company. As a general matter, this is an internal focus of many companies in the current environment. As noted above, the company should take all potential direct and indirect costs and consequences of any actual or potential incidents into consideration, including the risk that past incidents may have adverse consequences that have yet to materialize or be identified.
Based on this evaluation, the company should carefully review and assess the adequacy of its existing disclosure relating to cyber incidents and cybersecurity risks, keeping in mind the new guidance provided by the Staff. In addition to reviewing and updating its disclosure in future registration statements and annual and quarterly reports, the company should consider on an ongoing basis whether any current disclosure is appropriate in respect of any material cyber incident. As noted by the Staff, this is particularly important for companies with an effective shelf registration statement, as these companies may be required to file a report on Form 8-K or Form 6-K to provide disclosure about a material cyber incident in order to maintain the accuracy and completeness of the information in the shelf registration statement.
Finally, in order to ensure compliance with these obligations on an ongoing basis, the company should review its general disclosure controls and procedures to assess the adequacy of its existing processes for evaluating cyber incidents and other cybersecurity-related matters in the context of the company’s SEC disclosure obligations. In this respect, it is important to ensure that there are procedures in place for the company’s management and disclosure committee to involve personnel with the appropriate technological and security expertise in the process of assessing the materiality to the company of any cyber incidents and cybersecurity risks. For example, companies should consider having its chief information officer or equivalent report regularly to the disclosure committee on these issues.