Following a request in May 2011 from Senator Jay Rockefeller (D-WVA) to the Securities and Exchange Commission that the SEC advise public companies on when disclosure of cybersecurity risks to investors is mandated, on October 13 the Division of Corporate Finance at the SEC issued a Disclosure Guidance that for the first time advises registrants to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. The Guidance contained this caveat:
The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.
Still, companies that ignore the advice from the Division of Corporate Finance and fail to assess and disclose material cybersecurity risks do so at their peril — risking regulatory and legal action.
In the introduction to the Guidance, the SEC Staff acknowledged that overly-specific descriptions of cybersecurity risks filed on the public record could serve as a road map to cybercriminals:
We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security — and we emphasize that disclosures of that nature are not required under the federal securities laws.
On when disclosure of cybersecurity risks should be disclosed in SEC filings, the Guidance states:
In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
Thus, the Guidance plainly suggests that a risk assessment is necessary to make the determination on whether disclosure is called for.
In terms of what disclosure is called for, the Guidance states:
Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
The Guidance also advises registrants to address cybersecurity risks and cyber incidents in their MD&A if
the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
The SEC Staff gave as an example:
if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.
This SEC Guidance is likely to result in public corporations engaging is a substantial and detailed assessment of their cybersecurity risks to determine if public disclosure is required, and may lead to a litigation trend of plaintiffs suing corporation following a data security breach, alleging that the risks of such a breach were not properly assessed or disclosed.
The issuance of the cybersecurity disclosure guidance also raises the possibility that the SEC’s long-dormant proposed revisions to Reg. S-P under the Gramm-Leach-Bliley financial privacy law, that add specific data security steps for companies to follow, may be finalized — as part of the Commission’s effort to address the growing concerns about cybersecurity in corporate America.