SEC Issues Guidance on Cybersecurity Disclosures
By: ALEXANDER ROSENSTEIN
On October 13, 2011, the Securities and Exchange Commission (SEC) released guidance regarding disclosure obligations of public companies relating to cybersecurity risks and cyber incidents.
The SEC noted that as companies have become more dependent upon digital technologies, the risks relating to cybersecurity have also increased, resulting in more frequent and severe cyber incidents. Examples of these incidents include gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data or causing operational disruption, and causing denial-of-service attacks on Web sites. Companies may incur substantial costs and suffer other negative consequences, such as remediation costs, increased cybersecurity protection costs, lost revenues, litigation, and reputational damage.
Public companies have the obligation to provide disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. The SEC’s guidance covers a number of existing disclosure requirements that may impose an obligation on registrants to disclose risks and incidents relating to cyber issues and does not create new disclosure rules or categories. The SEC noted that material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.
The SEC acknowledged that companies may have concerns that detailed disclosures on these issues would compromise cybersecurity efforts; for example, disclosures could provide a “roadmap” to those seeking to infiltrate a company’s network. The SEC emphasized that such disclosures are not required.
The following is a summary of the SEC’s guidance:
Companies should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company risky. As with other potential risk areas, companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. In addition, companies should consider the probability of future cyber incidents occurring and the potential magnitude of those risks. The specific factors described in risk factors covering cybersecurity risks will vary depending on each company’s particular risks, but companies should not include risk factors that could apply to any issuer or any offering and should avoid generic risk factor disclosure.
Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)
The MD&A section should address cybersecurity risks and cyber incidents if the costs or other consequences associated with known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
Description of Business
A company should include disclosure regarding cyber incidents in its “Description of Business” section if cyber incidents materially affect the company’s products, services, relationships with customers or suppliers, or competitive conditions.
A company would need to disclose information regarding any material pending legal proceeding that involves a cyber incident.
Financial Statement Disclosures
A company’s financial statements may be impacted by cyber risks and incidents in various ways. For example, a company may need to incur costs to prevent or remediate cyber incidents, and in some cases provide customers with incentives to maintain business relationships following a cyber incident. Cyber incidents may result in losses from claims, such as warranty, breach of contract, product recall and replacement, and indemnification. Companies would need to provide disclosures relating to losses from asserted and unasserted claims that are reasonably possible. Cyber incidents may result in diminished future cash flows, which would require a company to consider impairment of certain assets, and companies may be required to make estimates of costs of the impact of a cyber incident before those costs are fully known. Finally, companies should consider whether subsequent event disclosure of a cyber incident that occurs after the date of the financial statements is necessary.
Disclosure Controls and Procedures
Companies are required to disclose their conclusions on the effectiveness of disclosure controls and procedures on a quarterly basis. If cyber incidents create a risk to the company’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, there may be deficiencies in the disclosure controls and procedures that would render them ineffective, which the company would need to disclose.
A company with an effective shelf registration should consider whether material cyber incidents would need to be disclosed on a Form 8-K (or Form 6-K, in the case of foreign issuers) in order to maintain the accuracy and completeness of the information in the shelf registration statement.
Going forward, public companies should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents. Please contact a member of our Securities Group for further information.