My previous post discussed the SEC’s Division of Corporation Finance’s recent Corporate Finance Disclosure Guidance which provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  There are limitations to this Guidance, and this post attempts to address some of those limitations.

One limitation is the legally binding effect of the Guidance.  The Guidance states that it “is not a rule, regulation, or statement of the Securities and Exchange Commission.  Further, the Commission has neither approved nor disapproved its content.”

Another limitation is to whom the Guidance applies.  The Guidance applies to registrants with the SEC (i.e., publicly traded companies).  These are entities that must file registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934.

The Guidance also limits what information must be disclosed.  For example, a company is not required to disclose information that would compromise a registrant’s cybersecurity.  “Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”

The Guidance also limits the amount of detail that must be provided as part of the disclosure in an effort to prevent providing a roadmap that would make future cyber attacks easier:  “We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts – for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security – and we emphasize that disclosures of that nature are not required under the federal securities laws.”

In short, a company that has suffered a cyber attack or risks of a cyber attack, should consider the application of the CF Disclosure Guidance:  Topic No. 2, but the company should not automatically assume that the Guidance applies to them, and care should be taken to ensure that, to the extent a disclosure is required, it is narrowly tailored to provide the type of information required by the Guidance.


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.