On October 13, 2011, the staff of the Securities and Exchange Commission ("SEC") released disclosure guidance regarding public company disclosure obligations relating to cybersecurity risks and cyber incidents (the "Disclosure Guidance")."[1]  The Disclosure Guidance reviews specific SEC disclosure rules that may require public companies to describe cybersecurity matters and provides SEC staff guidance on what type of disclosure, if any, may be necessary in light of a company's particular facts and circumstances.  The Disclosure Guidance is available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.  Cybersecurity is only the second topic to be addressed in the Division of Corporation Finance's new Disclosure Guidance publications.

Background

The Disclosure Guidance follows a May 2011 joint letter from five U.S. senators to SEC Chairman Mary Schapiro requesting that the SEC develop and publish interpretative guidance "clarifying existing disclosure requirements pertaining to information security risk, including material information security breaches involving intellectual property or trade secrets."[2]   Chairman Schapiro responded by summarizing specific rules and items that may trigger disclosure requirements under the federal securities laws and noting that she had asked the SEC staff to provide her with a briefing on current disclosure practices and on whether additional guidance is needed.[3]  The Disclosure Guidance sets forth the views of the SEC's Division of Corporation Finance and is not an SEC rule, regulation, or statement.

Overview of the Disclosure Guidance

The SEC staff states at the outset that its Disclosure Guidance in this context is "consistent with the relevant disclosure considerations that arise in connection with any business risk."  It notes that the SEC staff is "mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a 'roadmap' for those who seek to infiltrate a registrant's network security."  In this regard, the SEC staff emphasizes that SEC rules do not require disclosure that itself would compromise a company's cybersecurity.  Instead, it states that companies should "provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence."  

The Disclosure Guidance acknowledges that existing SEC disclosure rules do not explicitly reference cybersecurity matters but notes that such disclosures may still be required under existing SEC rules:  "material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading."  Thus, similar to the SEC's 2010 Interpretative Release with respect to climate change disclosures[4], the Disclosure Guidance provides the SEC staff's thoughts on the application of existing SEC disclosure rules to cybersecurity matters.   Specifically, the Disclosure Guidance addresses disclosure considerations applicable to both cybersecurity risks and cyber incidents under the following provisions:

1.  Risk Factors

  • Risk factor disclosures under Item 503(c) should include a discussion of cybersecurity and cyber incidents if such issues are among the most significant factors that make an investment in the company speculative or risky.  In determining whether to make such disclosure, companies should consider all available information, which the SEC staff notes includes the frequency and severity of prior cyber incidents, the probability of and qualitative and quantitative magnitude of risk from future attacks.  The Disclosure Guidance states that companies also should take into account the adequacy of any preventative measures taken to reduce cybersecurity risks, taking into account the industry in which they operate.
  • Cybersecurity risk factor disclosures should be tailored to a company's individual facts and circumstances and should avoid "boilerplate" disclosures.  Among the disclosures that may be appropriate are discussions of:  the nature of the company's business or operations that give rise to cybersecurity risk; a description of outsourced functions that have material cybersecurity risks, including how the company addresses those risks; the actual and likely costs and consequences for the company of a cyber incident; the occurrence and impact of any actual or threatened cyber incidents at the company; the adequacy of cybersecurity preventative measures; and relevant insurance held by the company. 
  • Companies also may need to disclose known or threatened cybersecurity incidents to put the cybersecurity risk factor disclosures in context.  Thus, where a company has experienced a specific type of cyber incident, the company should consider discussing it as well as its known and potential costs and other consequences.   

2.  Management's Discussion and Analysis of Financial Condition and Results of Operations

  • Under Item 303, the MD&A should include a discussion of cybersecurity risks and incidents if cyber incidents have had or are likely to have a material effect on a company's liquidity, results of operations or financial condition or would cause reported financial information not to be necessarily indicative of future operating result or financial condition. 
  • For example, the MD&A should discuss a material reduction to a company's revenues due to a loss of customers following a cyber incident or a material increase in costs resulting from litigation linked to a cyber incident or related to protecting the company from future cyber incidents.   

3.  Description of Business

  • Public companies should discuss cyber incidents in their Description of Business to the extent that such incidents materially affect a company's products and services, relationships with customers or suppliers, or competitive conditions.  Such disclosure should consider the impact of the cyber incidents on each reportable segment.  

4.  Legal Proceedings

Companies may need to include in their Legal Proceedings disclosure a discussion of material pending legal proceeding involving a cyber incident where the company or any of its subsidiaries is a party to the litigation.

5.  Financial Statement Disclosures

  • Cybersecurity risks and cyber incidents may have significant effects on a company's financial statements.  For example, prior to a cyber incident, a company may incur substantial costs in the development of preventative measures. 
  • During and after a cyber incident, companies may offer customers additional incentives to encourage customer loyalty and incur significant losses and diminished cash flows resulting in impairment of certain assets.  Companies should ensure that any such impacts to financial statements are accounted for pursuant to applicable accounting guidance.

6.  Disclosure Controls and Procedures

Companies should consider the risks that cyber incidents may pose to the effectiveness of their disclosure controls and procedures.  If it is reasonably possible that a cyber event might disrupt a company's ability to provide the SEC with information required to be disclosed in SEC filings, then a company may conclude that its disclosure controls and procedures are ineffective.  

7.  Form 8-K

  • The Disclosure Guidance reminds companies that they may need to disclose the costs and other consequences of material cyber incidents in a Form 8-K if necessary to maintain the accuracy and completeness of information in the context of securities offerings.  Although not addressed in the Disclosure Guidance, companies should be mindful that, in other contexts, it may be appropriate to address material cybersecurity incidents in a Form 8-K if, for example, they lead to material impairments, or if it is necessary to provide FD-compliant disclosures when voluntarily providing information regarding an actual or attempted cybersecurity incident. 

What Companies Should Do Now

In light of the Disclosure Guidance, public companies should:

  1.  As part of the company's disclosure controls and procedures, review the existing process for assessing the materiality of cybersecurity matters to the company and determine what (if any) disclosures should be included in their SEC filings with respect to cybersecurity matters.  The process should include discussions among the company's securities law counsel, information technology and security personnel and members of the company's disclosure committee. 
  2. Assess the company's current disclosures and compare them to disclosures by others in the company's industry.  Cybersecurity disclosures are not uncommon:  twenty-one Dow 30 companies included discussions of or references to cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures.  However, the Disclosure Guidance cautions that such disclosures must be specifically tailored to a company's particular circumstances.
  3. Be prepared in the event of a cyber incident to consider what disclosures may be necessary, including whether a Form 8-K is appropriate.  The SEC staff may monitor news reports for cybersecurity incidents, review those companies' SEC filings and issue comments based on the Disclosure Guidance. 
  4. Companies should be mindful that additional requirements related to cybersecurity may be forthcoming from the Administration and Congress.  In May 2011, the White House presented to the Speaker of the House and the President of the Senate a legislative proposal titled the "Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act" (the "Proposed Critical Infrastructure Act"),[5] that is part of a broad set of proposed legislation that would, among other things, impose new disclosure and certification requirements on "critical infrastructure" entities.  For example, the proposed legislation would require a covered company's CEO to certify (akin to the certifications required by Section 404 of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley")) in annual SEC filings that the company:  (1) has developed and is expeditiously implementing a cybersecurity plan compliant with the provisions of the Act; (2) that a cybersecurity evaluation has been completed; and (3) whether such evaluation concluded that the covered critical infrastructure is effectively mitigating identified cybersecurity risks.  At least three Congressional committees have held hearings on the White House proposal and other related proposals, and a number of senators have introduced separate cybersecurity legislation of varying types. [6]