SEC Corporate Finance Division Provides Guidance on Disclosure Obligations Relating to Cybersecurity Risks and Cyber Incidents
As companies rely more and more heavily on technology to conduct operations, the number and severity of cyber incidents has risen dramatically. In response to this trend in cyber attacks and incidents, and prompted by the growing focus of registrants and legal and accounting professionals on the necessity of disclosing cybersecurity risks and incidents, the Division of Corporation Finance (“CF Division”) of the Securities and Exchange Commission (“SEC”) recently issued CF Disclosure Guidance: Topic No. 2, Cybersecurity, setting forth the CF Division’s views regarding such disclosure obligations in the framework of existing disclosure obligations. Companies should consider this guidance in evaluating whether and to what extent cybersecurity risks and cyber incidents are required to be disclosed.
Acknowledging that the SEC’s existing disclosure requirements do not explicitly address cybersecurity risks and incidents, but cognizant of the burgeoning costs and other consequences that arise from cyber attacks and incidents, the guidance reviews a number of existing disclosure requirements that may impose an obligation on registrants to disclose cyber risks and incidents. Consistent with the approach to cybersecurity generally found in federal privacy and data security laws, the guidance does not espouse a one-size-fits-all approach to disclosure. Rather, the necessity for disclosure depends on the registrant’s specific facts and circumstances viewed in the light of what a reasonable investor would consider important to an investment decision. Registrants must assess, on an ongoing basis, the adequacy of their disclosures on cybersecurity risks and incidents so as to provide timely and accurate information on the impact such risks and incidents may have on a company’s business operations and to ensure past disclosures are not misleading in light of the changed circumstances.
The release of the CF Division’s disclosure guidance follows a spate of high-profile data breaches in recent months and a notorious digital attack by hacktivists earlier in the year. Interestingly, the guidance includes in its description of cyber incidents both intentional cyber attacks (such as unauthorized access by third parties to obtain sensitive information) and unintentional cyber events (such as the inadvertent posting of personally identifying information on a contractor’s website). The majority of the discussion, however, focuses on cyber attacks.
Whether an incident is intentional or inadvertent, the company may incur substantial costs, reputational damage, loss of customers, litigation and potential congressional inquiry, which may trigger disclosure obligations not only of the cyber incident but of the protective measures adopted by the company in response to such event. Nevertheless, the guidance expressly states that detailed disclosures that could compromise a company’s cybersecurity efforts by, for example, providing a “roadmap” for those seeking to infiltrate the company’s network security, are not required under the federal securities laws.
Summary of Disclosure Guidance
The CF Division’s disclosure guidance discusses the following disclosure requirements that companies should consider when determining whether and to what extent disclosures of cybersecurity risks and incidents may need to be provided.
- Risk Factors: Item 503(c) of Regulation S-K requires a company to disclose cybersecurity risks if such incidents are among the most significant factors that may make an investment in the company speculative or risky. As is the case when evaluating any risk factor disclosure, a company is required to consider all available, relevant information in making its determination, including prior cyber incidents and the severity and frequency of those incidents. Thus, companies in industries that are more prone to cyber attacks or acts of hacktivism should take that tendency into account in evaluating the necessity of risk factor disclosure. Registrants should evaluate the frequency and severity of prior cyber incidents, the probability of future incidents, the quantitative and qualitative magnitude of risks from such incidents—including the potential costs and other consequences resulting from stolen assets or information, data corruption or operational disruption—and the adequacy of preventative measures taken to reduce such risks in the context of the industry in which the registrant operates. Here too, the guidance iterates that federal securities laws do not require disclosure of the type that would compromise cybersecurity measures.
Where risk factor disclosure is warranted, the guidance lists a number of items that may be appropriate to include in such disclosure, including those aspects of the registrant’s business that give rise to material cybersecurity risks, any outsourced functions that carry material security risks, and relevant insurance coverage.
- Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A): Management should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with known incidents or the risk of potential incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. For example, if a cyber attack compromises a company’s intellectual property or other sensitive data and the effects of the compromise are reasonably likely to be material, the company should describe such effects, which may include reduced revenues, an increase in cybersecurity protection costs or an increase in litigation costs. In such cases, disclosure should include the amount and duration of the increased expenditures if material. The guidance suggests limited disclosure even where the attack does not result in compromised data or stolen property if, as a result of the attack, the registrant materially increases its cybersecurity protection expenditures.
- Description of Business: If a cybersecurity incident materially affects the company’s products, services, customer or supplier relationships or competitive conditions, the company should provide appropriate disclosures pursuant to Item 101 of Regulation S-K.
- Legal Proceedings: Where a cyber incident results in litigation that is material to the company, disclosure of the proceedings would be required under Item 103 of Regulation S-K.
- Financial Statement Disclosures: The guidance sets forth a number of ways in which cybersecurity risks and incidents could materially impact the financial statements of a company. Prior to a cyber incident, a company may incur substantial costs to prevent a cyber incident. During and after a cyber incident, a company may incur substantial expenditures to mitigate damages to its relationships with customers or suppliers, such as offering customer or supplier incentives, or it may incur losses from asserted or unasserted claims relating to the incident, including those related to warranties, breach of contract, product recall and replacement and indemnification of counterparty losses. A cyber incident may also result in diminished cash flows, which could lead to the impairment of certain assets. It may take time to determine the impact of a cyber incident requiring the development of estimates to account for various financial implications. If a cyber incident is discovered subsequent to a company’s balance sheet date but prior to the issuance of its financial statements, the company should also consider the need for disclosure of a recognized or non-recognized subsequent event.
- Disclosure Controls & Procedures: If a company experiences a cyber incident that poses a risk to its ability to record, process, summarize and report information required to be disclosed in SEC filings, the company should consider whether there are any deficiencies in its disclosure controls and procedures that could render them ineffective.
As evidenced in the above summary, the CF Division’s disclosure guidance does not create any additional disclosure obligations for public companies, but rather assists companies in assessing what, if any, disclosures should be provided about cybersecurity matters under existing disclosure rules. With the increased media attention on data breaches and cyber attacks by hacktivist groups such as Anonymous, a reasonable investor is more likely to consider cybersecurity risks and cyber incidents important to an investment decision.
Why is the CF Division’s guidance important even though it is a guidance and not a rule? It is important for the following reasons:
- Its scope is not limited to reporting a breach of personally identifying information or health or financial information, but rather addresses all types of losses resulting from cyber attacks and incidents—from loss of intellectual property assets to loss of reputation;
- It presupposes that companies have protective measures in place—that is, mechanisms for identifying, quantifying and responding to cybersecurity risks;
- It is likely to increase the flow of information concerning cyber threats, cyber attacks and data breaches—information that may benefit cybersecurity efforts in general but which companies are often reluctant to disclose.
In light of this guidance, Companies should evaluate carefully their—and their industry’s—cybersecurity risks and any cyber incidents to ensure their related disclosures, as well as their procedures to mitigate such risks, are adequate. Breach response plans may also need to be updated to call for an evaluation of disclosure obligations. Organizational changes may be warranted as well. For example, new reporting channels within companies may need to be established to ensure that individuals responsible for disclosures are briefed adequately on the company’s security incidents and risks, and companies may need to take steps to ensure that management has a deep enough understanding of cyber risks to allow for informed decision-making regarding disclosure obligations.
If you have any questions regarding this alert, please contact:
|Bruce S. Mendelsohn
|Joseph L. Motes III
|Christine B. LaFollette
|Jo-Ellyn Sakowitz Klein