New guidance1 from the Security and Exchange Commission’s Division of Corporate Finance, issued October 13, 2011, advises publicly-traded companies that they are responsible for evaluating cybersecurity2 risks and, potentially, for disclosing such risks to investors. This is the first time the SEC has issued disclosure guidance on the subject of cybersecurity.3 SEC registrants should now take steps to assess whether their current risk evaluation and disclosure procedures are sufficient to account for the potential liabilities associated with cybersecurity threats.
The non-binding guidance,4 which applies to publicly-traded companies in the government contracting industry, signifies the latest of a growing number of cybersecurity compliance obligations (described below) imposed on companies that do business with the federal government. Government contractors, in particular, need to devote significant attention to their compliance capabilities in the months ahead in order to fulfill their steadily-increasing obligations.
No existing disclosure requirement refers explicitly to cybersecurity or cybersecurity risks. However, according to the guidance, SEC registrants are nonetheless responsible for considering such risks when determining what disclosures they must make to investors. Thus, the Division of Corporate Finance “determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.”
The guidance explains that the “cyber incidents” about which it is concerned encompass a broad range of threats. Such incidents include “gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption” and “causing denial-of-service attacks on websites.” In addition, these attacks may be carried out by both third parties and company insiders, and they may be technically sophisticated or rudimentary.
The SEC guidance identifies the potential costs of cyber incidents as follows:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
Potential Disclosure Requirements
With these liabilities in mind, the guidance advises that SEC registrants may be required to disclose cybersecurity risks and incidents that “a reasonable investor would consider important to an investment decision” or where required to ensure that other required disclosures are not misleading.5
To this end, the guidance advises registrants to disclose cybersecurity risks and incidents where these considerations are among the significant factors that make an investment in the company “speculative or risky.” The guidance advises registrants to consider the probability of cyber incidents and the impact of those events if they occur – including both immediate and long-term consequences, such as those stemming from the misappropriation of sensitive information. Registrants are urged to evaluate their cybersecurity risk in the context of the industry in which they operate. This directive is especially important within the government contracting industry, where cybersecurity threats potentially impact national security.
Appropriate disclosures may include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Any disclosures should explain the specific impact of each risk on the registrant and should not be generic, such that the disclosures could “apply to any issuer or offering.”6 However, the guidance clarifies that “federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”
Further, registrants are directed to address cybersecurity risks and incidents in their Management Discussion and Analysis (MD&A) reports if any cost or consequence associated with those risks or incidents represents a “material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”7 For example, if intellectual property is stolen in a cyber attack and such theft is likely to have a material financial impact on the company, the guidance provides that the registrant should identify the property and describe the expected financial impact – including revenue reductions and increases in cybersecurity protection costs.
The guidance also specifies that cyber incidents may require disclosure in a registrant’s “Description of Business,” in its “Legal Proceedings” disclosure and in its financial statements. Moreover, registrants should disclose conclusions on the effectiveness of their disclosure controls and procedures. The guidance provides that “if it is reasonably possible that information [for other SEC filings] would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls and procedures are ineffective.”
Cybersecurity and Government Contracting
As companies have grown increasingly reliant on digital technologies to conduct their business, the risks associated with cybersecurity breaches also have increased. The foregoing guidance on SEC disclosure requirements represents only the latest example of the federal government’s burgeoning attention to cybersecurity concerns. While existing cybersecurity regulations have imposed duties to the government on government contractors, the new SEC guidance clarifies that publicly-traded contractors also have cybsersecurity disclosure duties to their investors.
Before 2002, Federal Acquisition Regulation (FAR) 52.239-1, “Privacy or Security Safeguards,” represented the primary cybersecurity compliance requirement for government contractors. Where applicable, this FAR clause requires contractors to comply with government inspections and make disclosures to the government in the event of a cybersecurity breach. FAR 52.239-1 provides, in part:
(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.
(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.
In 2002, Congress passed the Federal Information Security Management Act (FISMA),8 which requires federal agencies to develop and implement agency-wide programs to provide information security to the cyber systems that support the agencies’ operations, including those provided by government contractors. A number of federal agencies, such as the State Department, have begun to implement FISMA by including clauses in their contracts that require contractors to submit FISMA compliance plans.
Another important example of the government’s increasing focus on cybersecurity is a proposed amendment to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7000 designed to implement security measures to protect unclassified DoD information within contractor systems and to “prescribe reporting to DoD with regard to certain cyber intrusion events that affect DoD information resident on or transiting through contractor unclassified information systems.”9
Government contractors need to be aware of this trend in government regulation and take immediate steps to assess their cybersecurity capabilities and risks. Going forward, it will not be sufficient for contractors merely to have advanced data security and information assurance systems in place. In order to fulfill their numerous disclosure obligations, contractors also will need to have advanced risk assessment procedures in place to evaluate the complex liabilities associated with cybersecurity threats.