SEC On Cybersecurity Disclosure Guidance

Posted by on April 09, 2018

SEC On Cybersecurity Disclosure Guidance- Today is the continuation in a LawCast series talking about the new SEC guidance on cybersecurity. On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. I’ve talked generally about the guidance and will now begin discussing specific areas of disclosure guidance.

Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. Companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. Companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident. Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur. Actual threatened attacks may be material and require disclosure.

As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:

• Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences, including industry specific risks and third-party and service-provider risks;
• The costs associated with maintaining cybersecurity protections, including insurance coverage;
• The probability of an occurrence and its potential magnitude;
• Potential for reputational harm;
• Description of past incidents, including their severity and frequency;
• The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including any limits on the company’s ability to prevent or mitigate risks;
• Existing and pending laws and regulations that may affect the companies cybersecurity requirements and the associated costs; and
• Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

In MD&A a company should consider all the same factors that it would consider in its risk factors. A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, loss of intellectual property, remediation efforts, maintaining insurance, increase in cybersecurity protection costs, addressing harm to reputation and litigation and regulatory investigations. Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.