New mandated cybersecurity disclosure requirements appear to be imminent. Cybersecurity has become a critical issue for most companies, and almost all companies today face cybersecurity risks due to the substantial increases in the volume of data and information stored online, the rise of multiple platforms for accessing data and the sophistication of criminal hackers. Cyber incidents such as a data breach or an intrusion into a company’s systems can have very negative and expensive results. These risks are considerably higher for any company that stores personal information or that operates in a regulated industry such as financial services or health care. Despite this significant increase in cybersecurity risks and the liabilities associated with such cyber incidents, however, public companies to date have had very little guidance regarding their disclosure obligations in this area.
The primary guidance that the SEC has issued on cybersecurity disclosure to date has been the 2011 CF Disclosure Guidance: Topic No. 2 (Cybersecurity) (the “Release”) issued by the SEC’s Division of Corporation Finance on October 13, 2011. This Release was helpful in that it gave some indication of the Division of Corporation Finance’s positions on cybersecurity issues and cyber incidents. The Release provided overall guidance, however, and did not provide detailed information or instructions on cyber disclosure. Additionally, the Release did not contain official SEC rules or regulations. Accordingly, companies could use the Release for broad principles but were still left to develop disclosure information about cybersecurity and other similar matters based on their own evaluations of what should be disclosed.
Under the Release, some of the items that public companies are advised to address include:
- review the adequacy of their disclosure regarding cybersecurity and cyber incidents on a regular basis;
- disclose the risks of cyber incidents in “Risk Factors” if these items are significant risk factors that would make an investment in the company speculative or risky;
- disclose known or threatened cyber incidents;
- address cybersecurity risks and cyber incidents in the Company’s Management’s Discussion and Analysis if the costs or other consequences associated with such incidents are reasonably likely to have a material effect on the Company’s results of operations, liquidity or financial condition or would cause reported financial information to not be indicative of future operating results or financial condition;
- disclose a cyber incident in “Description of Business” if the cyber incident materially affected the company’s products, services, relationships with customers or suppliers or competitive conditions;
Continue Reading Get ready for increased cybersecurity disclosure requirements