In October 2011, the U.S. Securities and Exchange Commission’s Division of Corporation Finance issued “CF Disclosure Guidance: Topic No. 2”, which was a guidance intended to provide some clarity as to the material cyber risks that a publicly traded company should disclose. I previously wrote about the guidance. This blog post is the first of a three-part series to take a deeper look at the guidance: what does the guidance mean and require (Part I), how is the SEC using/enforcing the guidance (Part II), and how are companies complying with the guidance (Part III)?
What is a disclosure guidance?
A disclosure guidance provides the views of a specific division of the SEC (in this case, the Division of Corporation Finance) regarding disclosure obligations (in this case, disclosure obligations relating to cybersecurity risks and cyber incidents). It is not a rule, regulation, or statement of the Securities and Exchange Commission. The SEC has neither approved nor disapproved its content. In fact, the guidance did very little to change the legal landscape because companies are already required to disclose materials risks and incidents, so to the extent a cyber risk/incident is material, it must be disclosed regardless of the subject disclosure guidance. Nevertheless, at a minimum, the guidance has brought attention to the need for a company to disclose risks/incidents related to cybersecurity and it attempts to clarify the types of cyber risks/incidents that should be disclosed.
What is the likelihood that the SEC will more clearly mandate disclosure of cyber incidents and risks?
Based on some recent events, there is a reasonable likelihood that we will see a Commission-level statement relatively soon, clearly and explicitly requiring publicly traded companies to disclose material cyber incidents and risks in their public filings.
On April 9, 2013, Senator Jay Rockefeller sent a letter to the recently confirmed SEC Chairwoman, Mary Jo White, in which he strongly urged the SEC to issue the guidance at the Commission level. Senator Rockefeller cited investors’ needs to know whether companies are effectively addressing their cybersecurity risks, and a need for the private sector to make significant investments in cybersecurity.
Chairwoman White responded positively to Senator Rockefeller’s letter. She reiterated the existing disclosure requirements to disclose risks and events that a reasonable investor would consider material. She also informed Senator Rockefeller that she has asked the SEC staff to provide her with a briefing of current disclosure practices relating to cyber incidents/risks and overall compliance with the guidance, as well as recommendations for further action in this area. In short, I would not be surprised to see further instruction from the SEC on the cyber incident/risk disclosure issue this year.
What is a cybersecurity risk or cyber incident under the guidance?
According to the guidance, a cyber incident can result from a deliberate attack or unintentional event and may include gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Not all cyber incidents require gaining unauthorized access; a denial-of-service attack is such an example. These incidents can be carried out by third parties or insiders and can involve sophisticated electronic circumvention of network security or social engineering to get information necessary to gain access. The purpose may be to steal financial assets, intellectual property, or sensitive information belonging to companies, their customers, or their business partners.
Which cyber risks and incidents should be disclosed?
Publicly traded companies must disclose timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. According to the guidance, material information about cybersecurity risks and cyber incidents must be disclosed when necessary to make other required disclosures not misleading.
What factors should a company consider in determining whether a risk or incident should be disclosed?
According to the guidance, companies should consider a number of factors in determining whether to disclose a cybersecurity risk, including: (1) prior cyber incidents and the severity and frequency of those incidents; (2) the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks (including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption); and (3) the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they were aware.
What should a company disclose about a cyber risk or incident after it has determined that it wishes to make a disclosure?
Once a company has determined that it will disclose a risk or incident, it must adequately describe the nature of the material risks and specify how each risk affects the company. Generic risks need not be disclosed. Examples of appropriate disclosures include: (1) discussion of aspects of the business or operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) descriptions of outsourced functions that have material cybersecurity risks and how the company addresses those risks; (3) descriptions of cyber incidents experienced by the company that are individually, or in the aggregate, material, including a description of the costs and other consequences; (4) risks related to cyber incidents that remain undetected for an extended period; and (5) description of relevant insurance coverage. The disclosure should be tailored to the company’s particular circumstances and avoid generic “boilerplate” disclosure. That said, companies are not required to disclose information that would compromise the company’s cybersecurity. Instead, companies should provide sufficient disclosure to allow an investor to appreciate the nature of the risks faced by the company in a manner that would not compromise the company’s cybersecurity.
Where in the public filing should the disclosure(s) be made?
There are a number of places in a company’s public filing where a disclosure of a cyber incident or risk may be made:
(1) Management’s Discussion and Analysis of Financial Condition – if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to affect the company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results of financial condition. An example provided in the guidance is a cyber attack that results in theft of material stolen intellectual property; there, the company should describe the property that was stolen, and the effect of the attack on its results of operations, liquidity, and financial condition, and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is “reasonably likely” that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, or litigation costs, then those outcomes, the amount, and duration, should be discussed.
(2) Description of Business – if a cyber incident affects a company’s products, services, relationships with customers/suppliers, or competitive conditions, then the company should disclose these effects in the “Description of Business” section of the public filing. An example provided in the Guidance is where a cyber incident materially impairs the future viability of a new product in development; such an incident and the potential impact should be discussed.
(3) Legal Proceedings – if a legal proceeding to which a company “or any of its subsidiaries” is a party involved a cyber incident, information may need to be disclosed in the “Legal Proceedings” section of the public filing. The example provided in the Guidance is where customer information is stolen, which results in material litigation; there, the name of the court, the date the lawsuit was filed, the parties, a description of the factual basis, and the relief sought should be disclosed.
(4) Financial Statement Disclosures – companies should consider whether cyber risks and incidents have an impact on a company’s financial statements, and, if so, include them.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.