SEC Provides Guidance for Cyber-Security Disclosure

Simon Riveles Cyber-security, SEC

As digital technology and operating online has become ever more important for American companies, the risk associated with deliberate cyber-attacks and unintentional cyber-incidents has caught the attention of regulators. On October, 13, 2011, the Securities and Exchange Commission provided guidance to public companies concerning their duty to disclose these risks under the securities laws.[1]The Commission pointed out that the risks posed by deliberate attacks or unintentional disruptions to a company’s online operations may vary widely. Cyber attacks come in a variety of forms, including attempts to gain unauthorized access to proprietary information or assets, corrupting data or disruption of service. Although the methods and objectives of cyber-attacks vary, companies that fall victim to cyber-incidents of whatever nature may incur substantial costs and suffer material negative consequences to their business operations and revenues including:

  • Remediation costs including liability for stolen assets or information, repairing system damage and providing incentives to customers to maintain their business;
  • Increased cyber-security protection costs may include adding personnel, technology, training employees or hiring third party consultants;
  • Lost revenue from unauthorized use of proprietary information
  • Litigation
  • Reputational damage from service outages for example or damage to confidence

Disclosure by Public Companies Regarding Cyber-Security Risks and Incidents

The securities laws are meant to prompt the disclosure of timely, accurate and comprehensive information that a reasonable investor would consider important in making an investment decision. While no current requirement specifically mandates disclosure of cyber-security risks, the obligation to do so may arise in light of other disclosure duties. In determining whether risks regarding cyber-security rise to a level where disclosure is required the following factors should be evaluated.

Risks

In determining whether the risks posed by cyber-security require disclosure, the company should consider all available information, including prior cyber-incidents, the severity and frequency of those incidents, the probability of future incidents and the quantitative and qualitative magnitude of such risks. Additionally, the adequacy of preventative actions taken to reduce cyber-security risks in the context of the industry in which the company operates should also be considered. Consistent with Regulation S-K 503(c) cyber-security risk disclosures should adequately describe the nature of the risks and specify how each risk affects the registrant. Registrants should tailor such information to their individual circumstances and avoid “boilerplate” risk disclosures. Depending on the facts and circumstances of companies business, the following disclosures regarding material risk may include:

  • Discussion of aspects of the registrants business or operations that give rise to material cyber-security risks and potential costs and consequences;
  • Description of material cyber incidents experiences by the company, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period of time
  • Description of relevant insurance coverage

MD&A, Description of Business and Legal Proceedings

If the consequences associated with one or more cyber-incidents or the risks poses by such incident(s) threaten to have a material impact on the registrant’s results of operations, liquidity or financial condition, such information should be addressed in the management discussion and analysis (MD&A) disclosure. The nature of the cyber-incident or cyber-risk, the steps the company has taken to mitigate such incident or risks and the likely impact on operations should be discussed. Additionally, if such incidents materially affect a registrant’s products, services or relationships or competitive position such information should be disclosed in registrant’s “Description of Business”. And if material legal proceedings have results from a cyber-incident such should be disclosed in “Legal Proceedings” section of the registrant’s MD&A. Disclosure may be appropriate prior to an actual incident, as well as during and after an incident.

Next Steps for Public Companies in Light of SEC Guidance

In light the SEC’s guidance, public companies should:

  • Include security personnel, IT, law and disclosure committee in reviewing the existing process for evaluating the materiality of cyber-security matters and determine what (if any) disclosures should be included in their SEC filings.
  • Evaluate the company’s current disclosures in light of current industry practice, particularly since disclosure of cyber-security risks and incidents are becoming more common.
  • Be prepared in the event of a cyber incident to consider what disclosures may be necessary, including filing of a Form 8-K.

 

 



[1] The SEC guidance can be found here: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

Previous PostNext Post

Share this Post