Risks of Cyber Attacks
If you are an executive for a public company, new SEC guidance requires you to consider cybersecurity in your ongoing periodic reports. As evidenced by the barrage of news reports over the past couple of years, cyber incidents have become very significant events for all types of companies. A recent example was the data breach of Sony Corporation’s Playstation Network. These cyber incidents can cause companies to spend substantial amounts of money and time to attempt to reduce or correct the associated damage, including significant reputational damage. All companies must make significant capital investments for systems and measures designed to prevent future cyber incidents or at least mitigate their harmful effects. Unfortunately, the number of cyber incidents will continue to increase, and the tactics used by hackers will become more sophisticated and harder to prevent and control.
Congress Gets Involved
Last year, a group of U.S. senators recognized that cybersecurity incidents and the associated costs were a major risk for many companies and that many public companies were not adequately disclosing these events. The Senators also recognized the growing risks of cybersecurity and cyber incidents, and that there was very little guidance for public companies on their disclosure responsibilities in connection with cybersecurity. These senators wrote a letter to SEC Chairman Shapiro asking for some interpretative guidance on how to address disclosure of cybersecurity and cyber incidents and the associated risks and economic effects.
SEC Sets Expectations
In response to the Senate inquiry, the SEC recently issued CF Disclosure Guidance: Topic No. 2 (the “Disclosure Guidance”), which set forth the SEC’s expectations of public company cybersecurity disclosure. Public companies of all sizes and industries should carefully review this guidance. While this Disclosure Guidance only provides recommended disclosure practices, we recommend that public companies consider this as definitive guidance on the topic and adjust your disclosure practice to meet the SEC’s expectations.
Where You Should Look to Add Additional Disclosure
The Disclosure Guidance identifies six areas where you should consider additional cybersecurity disclosure:
1. Risk Factors
- Add risk factors related to cyber incidents if cyber incidents are among the material risks that the company faces. Appropriate disclosures could include:
- Discussion of aspects of your business that may cause material cybersecurity risks;
- If your business outsources functions that have material cybersecurity risks, a description of those functions and how your business handles those risks;
- Description of material cyber incidents experienced by your business, including a description of associated costs;
- Risks related to cyber incidents that could remain undetected; and
- Description of relevant insurance coverage (Cyber insurance).
- Assess your company’s risks considering all information related to your company’s specific cybersecurity situation, including such things as past incidents, possible future incidents and the potential costs and other consequences of a cyber incident.
2. MD&A
- If known incidents or the risk of potential incidents represent a material event, trend, or uncertainty, disclosure would be appropriate in the MD&A. Disclosure here primarily relates to costs and other consequences that may have a material economic effect on your company’s operations in the future.
3. Description of Business
- If cyber incidents have had a material effect on your company’s products, services, or other key components of your company’s business, you should provide additional disclosure in the “Description of Business.”
4. Financial Statement Disclosures
- Material costs associated with cyber incidents and preventative measures should be disclosed. These costs may be substantial due to the high costs of both dealing with actual cyber incidents and implementing preventative measures.
- Your company may be able to capitalize some of the costs of internal-use software.
- If your company provides customers with payments and other incentives to compensate them for the effects of a cybersecurity breach, these customer payments and incentives must be recognized appropriately.
- Keep in mind subsequent event disclosure obligations and potential effects on goodwill and other intangible assets due to lower future cash flows due to a cyber incident.
5. Litigation and Other Legal Proceedings
- If your company is involved in material legal proceedings as a result of a cyber incident or cybersecurity measures, you should consider disclosing such proceedings and their potential economic impact.
6. Disclosure Controls and Procedures
- If cyber incidents create a risk to your ability to adequately record, process, summarize, and report required information, your company’s disclosure controls may not be effective.
You should immediately review your company’s cybersecurity disclosure obligations in view of the guidelines provided in the Disclosure Guidance.