Public companies need to assess their exposure to cyber risks and the procedures they take and costs they incur in preventing cyber incidents as part of their overall assessment of matters that can have a material effect on their company’s operations or financial condition.
The disclosure guidance issued on October 13, 2011 (the “Disclosure Guidance”) by the Division of Corporation Finance of the Securities and Exchange Commission (“SEC”) does not impose a new legal requirement. However, it is significant in that it identifies cyber risks and incidents as potential material information to be disclosed under existing securities law disclosure requirements and accounting standards. While the Disclosure Guidance states that it represents the views of the Division of Corporation Finance and is “not a rule, regulation or statement of the Securities and Exchange Commission,” companies can now expect the SEC to review their filings to see whether cyber risks and incidents are adequately disclosed.
Other federal regulations and guidance issued by other agencies in recent years have focused on identifying risks that would affect consumers. This Disclosure Guidance, however, is directed at protecting investors and encouraging companies to assess their risks of cyber incidents and review the adequacy of their disclosures as to those risks and their impact on a company’s operations, liquidity and financial condition. A broad range of factors are identified in the Disclosure Guidance for consideration, including prior cyber incidents, business operations and outsourced functions that have material cyber risks and potential costs and consequences, and relevant insurance coverage purchased by the company to address its exposures. Public companies now have a blueprint for assessing their cyber risk exposures, and for determining their reporting obligations as to material exposures, along with the context for evaluating such disclosures.
The Disclosure Guidance follows in the wake of a May 11, 2011 letter to the SEC from five members of the Senate, including John D. Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation. That letter expressed concern that “a substantial number of companies do not report their information security risk to investors,” and that “once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligation to disclose information . . . .” As a result, the Senators requested that the SEC “publish interpretative guidance clarifying existing disclosure requirements pertaining to information security risk . . . .”
The Disclosure Guidance was drafted to assist companies preparing disclosures required under U.S. federal securities laws (such as registration statements under the Securities Act of 1993 and periodic reports under the Securities Exchange Act of 1934) to assess whether they have a cyber risk exposure that should be disclosed.
Specific Disclosure Obligations
On one hand, the Disclosure Guidance recognizes that no existing disclosure requirement “explicitly refers” to cyber security risks and cyber incidents. On the other hand, however, the Disclosure Guidance notes that numerous federal securities disclosure requirements may impose an obligation on public companies to report cyber security risks and incidents within their SEC filings. The Disclosure Guidance serves to identify factors for companies to consider in determining if they have a cyber security risk that should be disclosed under existing requirements.
Risk Factor Disclosure
The Disclosure Guidance identifies as the overall standard that registrants should disclose the risk of cyber incidents if such risk is among the “most significant” factors that would make an investment in the company “speculative or risky.” The Disclosure Guidance identifies factors companies should take into account in determining whether disclosure is warranted, including:
- prior cyber incidents and the severity and frequency of those incidents;
- the “probability” of cyber incidents occurring and their potential magnitude (e.g., misappropriation of assets or sensitive information, corruption of data or operational disruption); and
- the adequacy of preventive actions taken to reduce cyber security risks.
While encouraging specific disclosures and discouraging “generic ‘boilerplate’” disclosure, the Disclosure Guidance acknowledges the concern that overly specific disclosures could provide a “roadmap” to those seeing to infiltrate a company’s network security and emphasizes that disclosures of that nature are not required. Instead, it offers appropriate disclosure examples in the event that risk factor disclosure is required, such as:
- discussion of aspects of the company business or operations that give rise to material cyber security risks, and potential costs and consequences;
- whether there is outsourcing of functions that have material cyber security risks, including a description of those functions and how the company addresses those risks;
- description of material cyber incidents experienced, including a description of the costs and other consequences;
- identification of risks related to cyber incidents that may remain undetected for an extended period of time; and
- description of relevant insurance coverage.
Further, the Disclosure Guidance states that cyber security risks and incidents should be addressed in Management's Discussion and Analysis of Financial Condition and Results of Operations if:
- the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
Examples of other disclosures discussed in the Disclosure Guidance that may be required include:
- material pending legal proceedings involving a cyber incident;
- substantial costs incurred to prevent a cyber attack;
- costs incurred in mitigation of damages following a cyber incident, such as “incentives” offered to customers to maintain business relationships (e.g., free services or products); and
- disclosure of losses that are “probable and reasonably estimable,” or even “reasonably possible” following a cyber attack (e.g., losses related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from remediation efforts).
As a result of the Disclosure Guidance, public companies now have interpretative guidance to follow in assessing the scope of their cyber security disclosure obligations prior to, during and after a data breach or other cyber security incident has occurred. The Disclosure Guidance also identifies factors companies should consider in their assessment of their cyber risks for risk management purposes, such as their outsourcing of functions, their exposure to business interruption in the event of a cyber attack or theft of intellectual property, and their purchase of relevant insurance coverage, which is likely to include insurance for the first party costs and losses that a company can incur as a result of a cyber security incident as well as more traditional coverage for third party claims.
Public companies should take the opportunity to evaluate their cyber security risks and consider the adequacy of their disclosures and their procedures for mitigation of those risks.
A copy of the Disclosure Guidance can be found here.