New mandated cybersecurity disclosure requirements appear to be imminent. Cybersecurity has become a critical issue for most companies, and almost all companies today face cybersecurity risks due to the substantial increases in the volume of data and information stored online, the rise of multiple platforms for accessing data and the sophistication of criminal hackers. Cyber incidents such as a data breach or an intrusion into a company’s systems can have very negative and expensive results. These risks are considerably higher for any company that stores personal information or that operates in a regulated industry such as financial services or health care. Despite this significant increase in cybersecurity risks and the liabilities associated with such cyber incidents, however, public companies to date have had very little guidance regarding their disclosure obligations in this area.
The primary guidance that the SEC has issued on cybersecurity disclosure to date has been the 2011 CF Disclosure Guidance: Topic No. 2 (Cybersecurity) (the “Release”) issued by the SEC’s Division of Corporation Finance on October 13, 2011. This Release was helpful in that it gave some indication of the Division of Corporation Finance’s positions on cybersecurity issues and cyber incidents. The Release provided overall guidance, however, and did not provide detailed information or instructions on cyber disclosure. Additionally, the Release did not contain official SEC rules or regulations. Accordingly, companies could use the Release for broad principles but were still left to develop disclosure information about cybersecurity and other similar matters based on their own evaluations of what should be disclosed.
Under the Release, some of the items that public companies are advised to address include:
- review the adequacy of their disclosure regarding cybersecurity and cyber incidents on a regular basis;
- disclose the risks of cyber incidents in “Risk Factors” if these items are significant risk factors that would make an investment in the company speculative or risky;
- disclose known or threatened cyber incidents;
- address cybersecurity risks and cyber incidents in the Company’s Management’s Discussion and Analysis if the costs or other consequences associated with such incidents are reasonably likely to have a material effect on the Company’s results of operations, liquidity or financial condition or would cause reported financial information to not be indicative of future operating results or financial condition;
- disclose a cyber incident in “Description of Business” if the cyber incident materially affected the company’s products, services, relationships with customers or suppliers or competitive conditions;
- make disclosures in “Legal Proceedings” as appropriate; and
- make appropriate financial statement disclosures.
Of course, these items are merely guidelines and do not provide direct guidance for a company regarding cybersecurity risks or cyber incidents. As a result, many companies are left wondering what they really need to do to protect themselves in connection with the disclosure of cybersecurity risks and cyber incidents. This situation has also become much more critical recently as a result of the significant number of cyber attacks and incidents that have occurred with U.S. companies, the increasing sophistication and severity of such attacks and the high probability that these attacks will continue and intensify.
In response to this situation and the uncertainty that it has engendered for many companies, some members of Congress are reported to be considering enacting legislation that would require the SEC to provide firm and official guidance on companies’ disclosure obligations in connection with cybersecurity risks and cyber incidents. Senator Jay Rockefeller, Chairman of the U.S. Senate Commerce, Science and Transportation Committee, recently said that he plans to soon propose adding provisions to pending cyber legislation that would require the SEC to provide this firm and official guidance on the disclosure of cybersecurity risks and cyber incidents. Senator Rockefeller’s proposal would add provisions to the pending Cybersecurity Act of 2012 (SB 2105) that would require the SEC to issue formal interpretive guidance on the disclosure obligations associated with cybersecurity and cyber incidents. Senator Rockefeller is one of the sponsors of the proposed Cybersecurity Act in the Senate.
The proposed Cybersecurity Act was introduced in February 2012, but the Senate has not yet voted on it. It is difficult to predict when (or if) this vote will happen and when, if ever, the Act will be voted on by the House of Representatives. This is complicated by the presence of several competing cybersecurity bills that are being moved through Congress by their supporters. Support for the Act in the Senate has reportedly been lagging, but recently several Senators introduced a revised version of the Act that they hope will revitalize support for it. I believe that this Act or something similar will become law at some point soon. In any case, of course, the SEC can also act on its own to implement new disclosure requirements.
The SEC has indicated that it considers cybersecurity to be a high priority disclosure item. For example, Meredith Cross, Director of the Division of Corporation Finance, recently said at a meeting of the Society of Corporate Secretaries and Governance Professionals that the Division will focus more on cybersecurity issues and will raise comments in this area, especially where a registrant’s data or systems have been attacked or compromised.
What does this really mean for companies which are striving to confirm their disclosure responsibilities in the areas of cybersecurity and cyber incidents? We believe that there are several actions that companies should take now to protect their positions and to mitigate potential disclosure problems:
- There will clearly be mandated disclosure of cybersecurity risks and cyber incidents at some point soon and it could happen quickly. Follow the progress of these new disclosure requirements and get out ahead of the curve in your company’s disclosure policy.
- Closely evaluate your business and determine the actual and potential effects of cybersecurity and cyber incidents on your specific situation. The effects of cybersecurity risks and cyber incidents vary widely in various industries and situations. In the absence of controlling SEC disclosure obligations, use standard securities law analysis to determine what should be disclosed in this area.
- Get familiar with the terms of the Release (as discussed above) and use it for guidance even though it is not binding.
- Fully comply with existing Federal and state cyber and cyber incident laws at all times. For example, most states have laws that govern data breaches and many of these state laws have very strict compliance requirements, especially if personally identifiable information is involved.
- If your company operates in a regulated industry (such as health care or financial services), it may have additional and much more stringent legal obligations in the cybersecurity and cyber incident area. Ensure that your company is fully compliant with these additional laws and regulations.