Published by Al Saikali

December 2011

My previous post discussed the SEC’s Division of Corporation Finance’s recent Corporate Finance Disclosure Guidance which provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  There are limitations to this Guidance, and this post attempts to address some of those limitations.

One limitation is the legally binding effect of the Guidance.  The Guidance states that it “is not a rule, regulation, or statement of the Securities and Exchange Commission.  Further, the Commission has neither approved nor disapproved its content.”

Another limitation is to whom the Guidance applies.  The Guidance applies to registrants with the SEC (i.e., publicly traded companies).  These are entities that must file registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934.

The Guidance also limits what information must be disclosed.  For example, a company is not required to disclose information that would compromise a registrant’s cybersecurity.  “Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”

The Guidance also limits the amount of detail that must be provided as part of the disclosure in an effort to prevent providing a roadmap that would make future cyber attacks easier:  “We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts – for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security – and we emphasize that disclosures of that nature are not required under the federal securities laws.”

In short, a company that has suffered a cyber attack or risks of a cyber attack, should consider the application of the CF Disclosure Guidance:  Topic No. 2, but the company should not automatically assume that the Guidance applies to them, and care should be taken to ensure that, to the extent a disclosure is required, it is narrowly tailored to provide the type of information required by the Guidance.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

What obligation does a publicly traded company have to disclose security breaches?  On October 13, 2011, the Securities and Exchange Commission took an important step towards answering this question when it issued a guidance that attempts to clarify a company’s obligations to disclose cybersecurity risks in registration statements and periodic reports required by the Securities Exchange Commission.

The “CF Disclosure Guidance: Topic No. 2” provides the SEC’s Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks.  Publicly traded companies are required to disclose timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.  The guidance clarifies that this same obligation may apply to cybersecurity risks and incidents if the issues those risks/incidents raise “are among the most significant factors that make an investment in the company speculative or risky.”

In determining whether a risk factor disclosure is required, a company should consider the severity and frequency of prior cyber incidents, including the potential costs and other consequences resulting from misappropriation of sensitive information, corruption of data, or operational disruption.  The company should also consider “the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

The guidance also provides instruction on what an appropriate disclosure should contain once a company has determined that a disclosure is necessary:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

In my next post, we will look at the limitations of the Guidance.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.