SEC‘s Current Disclosure Guidance to Cybersecurity Risks and Cyber Incidents

Posted by on December 11, 2017

SEC‘s Current Disclosure Guidance to Cybersecurity Risks and Cyber Incidents- On October 13, 2011, the SEC issued a Disclosure Guidance related to cybersecurity risks and cyber incidents. The guidance attempts to find a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent. In that regard, the SEC is clear that disclosure of actual detailed security measures is not required. As with the rules on disclosure in general, companies must consider their specific facts and circumstances in determining the required disclosure, if any.

Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. A primary example of the latter is the famous hacking of the Sony Pictures Entertainment email system in 2014.

When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

• Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
• Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
• Lost revenues from unauthorized use of proprietary information and lost customers;
• Litigation; and
• Reputational damage.

Consistent with all disclosure guidance, the SEC begins its guideline with the basic premise that the disclosure requirements are meant to “elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” With that said, as of the date of the guidance, and as of today, there is no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents.

However many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings and financial statement loss contingencies. Moreover, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.