SEC Disclosure Guidance On Cybersecurity
Posted by Laura Anthony, Esq. on December 13, 2017
SEC Disclosure Guidance On Cybersecurity- On October 13, 2011, the SEC issued a Disclosure Guidance related to cybersecurity risks and cyber incidents. Today I am continuing my discussion on that disclosure guidance. Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. The SEC expects companies to “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.” In addition, companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident. Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur. Material actual threatened attacks may be material and require disclosure.
As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:
• Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences;
• Discussion of any outsourcing of functions that give rise to risks or preventative measures;
• Description of past incidents, including their costs and consequences;
• Risks of cyber-incidents that could remain undetected for a period of time; and
• Description of insurance coverage.
A company would also need to include discussion of cybersecurity risks and incidents in its Management Discussion & Analyses (MD&A) if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, increase in cybersecurity protection costs, and related litigation. Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.