In light of the increasing magnitude and scope of cyber threats, as well as growing concerns about disruptions to public companies’ operations, the Israel Securities Authority (ISA) has published a Staff Position Statement addressing public companies’ required disclosures for all cyber-related issues.
Although the aforesaid position statement does not prescribe new disclosure obligations, it does clarify the existing disclosure requirements imposed on both public companies and reporting corporations. Moreover, it reiterates that disclosures consistent with the ISA’s position statement are subject to the relevant tests of materiality.
Following are the key points in the ISA Staff Position Statement:
Disclosure in a Prospectus and a Periodic Report
In the clause “discussion of risk factors” in the section “Description of the Corporation’s Businesses” – Cyber risks are similar to any other risk factor. If a corporation is facing a material cyber risk that could potentially disrupt its operations, then it is required to include a disclosure about this risk in the clause on “discussion of risk factors.” Such disclosure must include descriptions of the risk, details about the company’s cyber-security policy, specifics on the supervision over the policy’s implementation, and reference to the company’s tests of the effectiveness of its cyber-security measures.
When analyzing the materiality of its cyber risks, a corporation should take into account, inter alia, the following factors:
- previous cyber-attacks that occurred, including their severity and frequency;
- the likelihood of cyber-attacks materializing;
- the effectiveness of the corporation’s capabilities in preventing or minimizing its exposure to cyber risks;
- business and operating aspects of the corporation’s activities that pose material cyber risks, and the potential costs and repercussions of these risks, including risks that are specific to its sphere of business and risks posed by service providers and other third parties with whom the corporation has interconnectivity;
- the resources involved in maintaining cyber-security protections, including the purchasing of cyber insurance coverage;
- potential damage to assets, including intellectual property and reputational damages, as well as the severity of the potential damage to the corporation’s competitive advantages;
- laws and regulations in effect or pending that may affect the corporation’s associated costs deriving from that regulation.
In the clause “event or matter outside of the corporation’s ordinary course of business” in the section “Description of the Corporation’s Businesses” – If material cyber-attacks occurred during the report period, the corporation should consider including a brief description of these cyber-attacks, or disclose them by referring to the Immediate Reports published by the corporation with a description of the cyber-attacks. Depending upon the set of circumstances and facts, and according to the best of the corporation’s knowledge, the description should include details like the identity or type of cyber-attackers; the circumstances of the cyber-attack; the number of cyber-attacks and the duration of each; if the corporation assesses whether or not the cyber-attack has ended; the volume and types of damage caused, including the indirect repercussions; the corporation’s assessment about whether it has detected all of the direct damages; the corporation’s efforts to contend with the cyber-attack; and the conclusions drawn and the measures instituted to prevent any recurrence of this type of cyber-attack. Even if a corporation has not fallen prey to a single material cyber-attack, if it has had to contend with several cyber incidents that collectively are material, then it should consider issuing such a disclosure.
Disclosure in the Directors’ Report to the Shareholders
Insofar as a corporation believes that its exposure to cyber risks has materially increased during a report period, in terms of gaining a general understanding of its business operations, or if one or more cyber-attacks occurred that had a material impact on one or more of the items in its financial statements (statement of financial position or operating results), then the directors’ report should contain explanations in this regard. The directors’ explanations may be necessary even if no cyber incident occurred that had a direct impact on the corporation’s financial statements, but if details of cyber-related matters were described in the section “Description of the Corporation’s Businesses,” such as if the corporation purchased cyber insurance.
Disclosure in Immediate Reports
Upon the occurrence of a cyber-attack, a corporation is required, inter alia, to ascertain the materiality of the event as it pertains to compulsory reporting to the public. When ascertaining materiality, the corporation should analyze and evaluate all of the direct and indirect actual damages and potential damages.
Following are a few examples of cyber-related incidents that may require the publishing of an Immediate Report (not an exhaustive list):
- the corporation’s business operations were temporarily disrupted;
- the corporation’s databases were hacked in a way that is liable to directly or indirectly impact the corporation’s operations; if the database falls under privacy protection laws, the corporation must also issue an additional separate disclosure in this regard;
- the corporation’s main computerized system that is material to its operations has been damaged in a way that materially disrupts the corporation’s operations;
- the corporation received a demand to pay a ransom at a material sum during a cyber-attack;
- the corporation discovered that cyber-attackers hacked into its computerized systems (such as email accounts) and divulged business secrets, or the corporation detected a theft of personal business information that, if publicized, is liable to cause material damage to the corporation;
- a cyber-security breach was discovered in a product or system that the corporation manufactured or that is under its responsibility, which would result in the corporation facing material exposure (as a manufacturer, product supplier, etc.).
“Cyber risk” – the risk of a cyber-attack materializing;
“Cyber-security” – all operations required to prevent, contend with, and handle cyber-attacks, in order to minimize their impact and the damages they cause during and after, including information-security operations;
“Cyber-attack” – an attack designed to gain unauthorized access to or make unauthorized use of computer networks and systems to expose, alter, disable, destroy, steal, or corrupt the computerized material stored there.
Clarification: That stated above is a brief summary only. We recommend reading the accompanying full version of the ISA’s Staff Position Statement in order to obtain complete information.