The Securities and Exchange Commission has issued a Guidance Document setting forth suggested cyber-security disclosures for public companies issuing quarterly and annual reports and other mandatory disclosures in connection with certain equity and debt offerings. This Guidance is not a new disclosure requirement -- rather, this document offers guidance on how existing disclosure obligations apply to cyber-security risks. This Guidance Document may cause many companies to re-evaluate their approach to disclosing cyber-security risks. Significant recommendations include the following:
- In disclosing "risk factors" relevant to company operations, the Guidance Document recommends detailing the cyber-security risks particular to a company's business operations AND insurance available to cover these particular risks. These recommendations may cause Risk Managers to re-evaluate insurance programs and evaluate existing insurance coverage to determine whether it adequately addresses the costs and liabilities likely to arise if the company suffers a cyber-attack.
- In connection with the Management Discussion and Analysis ("MD&A"), the Guidance Document directs companies to disclose cyber-attacks where such attacks are reasonably likely to have material adverse effect on the company's finances. While laws of 46 states and various federal laws, such as HIPAA/HITECH and Gramm-Leach-Bliley, already mandate public disclosure of cyber-attacks in certain circumstances, a pending quarterly or annual report (or other mandatory disclosure document) may cause companies to accelerate their decisions as to whether disclosure of a cyber-attack is legally mandated.
- With another recommendation that may have broad impact on Risk Managers, the Guidance Document states that companies "should consider" customer incentives to maintain relationships after a cyber-attack. While it is common to offer some benefits to affected individuals affected by cyber-attacks, such as enhanced credit monitoring, this recommendation may cause companies to consider offering additional benefits to restore customer good will that may be damaged by a cyber-incident.
Specifically, the SEC Guidance Document recommended the following disclosures in annual and quarterly reports and other mandatory disclosure documents:
- Risk Factors: "Registrants should disclose the risk of cyber-incidents if these issues are among the most significant factors that make an investment in the company speculative or risky." According to the document, examples of appropriate disclosures include:
- Discussion of aspects of the registrant's business or operations that give rise to material cyber-security risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cyber-security risks, description of those functions and how the registrant addresses those risks;
- Description of cyber-incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber-incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
- MD&A: "Registrants should address cyber-security risks and cyber-incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition."
- Description of Business: "If one or more cyber-incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's 'Description of Business.'"
- Legal Proceedings: "If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber-incident, the registrant may need to disclose information regarding this litigation in its "Legal Proceedings" disclosure."
- Financial Statement Disclosures: "Cyber-security risks and cyber-incidents may have a broad impact on a registrant's financial statements, depending on the nature and severity of the potential or actual incident."
- Disclosure Controls and Procedures: "Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures."
It is important to note that the guidance is not a rule, regulation, or statement of the SEC, and the SEC has not approved or disapproved its content. Balancing disclosure and non-disclosure, even without this Guidance, can be tricky following a cyber-security event. Many times there are instances when disclosure is not advisable or permitted, such as when law enforcement is involved and disclosure will impede the success of the investigation. Or, an organization may want to complete a complicated forensics investigation to learn all of the details surrounding the breach before advising the world that an event has occurred.