This market trends article identifies cybersecurity risk disclosures that offer detailed discussions on the potential reputational, financial, or operational harm resulting from cybersecurity breaches and the potential litigation or regulatory costs, policies, and procedures in addressing cybersecurity risks. This article concludes with practical advice on how to prepare and enhance the required disclosures on cybersecurity risks and incidents.

For further information on public company disclosure in general, see Public Company Periodic Reporting and Disclosure Obligations and Periodic and Current Reporting Resource Kit. For other market trends articles covering various capital markets and corporate governance topics, see Market Trends.

On October 16, 2018, the Securities and Exchange Commission (SEC) released a report pursuant to Section 21(a) of the Securities Exchange Act of 1934 (the Exchange Act) detailing its investigation of several public companies that were victims of cybersecurity-related frauds. While the SEC decided not to pursue enforcement actions against these companies, it emphasized the duty of a public company to comply with the requirements of Section 13(b)(2)(B) of the Exchange Act to devise and maintain a sufficient system of internal accounting controls. On December 6, 2018, SEC Chairman Jay Clayton, in his speech, highlighted cybersecurity risks as one of the prominent challenges the SEC faces. Chairman Clayton reiterated the SEC's statement and interpretive guidance regarding disclosures on cybersecurity risks and incidents issued earlier in 2018 (2018 Guidance).

Under the 2018 Guidance, public companies are required to disclose cybersecurity risks and cyber incidents to the extent that these are material. In evaluating whether cybersecurity risks or incidents are material, a public company should consider, among other things, the nature and magnitude of cybersecurity risks or prior incidents; the actual or potential harms of a breach to the company's reputation, financial condition, or business operation; the legal and regulatory requirements to which the company is subject; the costs associated with cybersecurity protection, including preventative measures and insurance; and the costs associated with cybersecurity incidents, including remedial measures, investigations, responding to regulatory actions, and addressing litigation.

On January 27, 2020, the SEC's Office of Compliance Inspections and Examinations (OCIE) issued a report of observations arising from OCIE's examinations on how various broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants manage cybersecurity risks and enhance operational resiliency. OCIE classified their cybersecurity practices into seven categories: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.

Once cybersecurity risks and incidents are determined to be material, a public company should provide complete and accurate information in its periodic reports regarding these risks, incidents, and related investigations or litigations.

Public companies generally include cybersecurity-related disclosures in the following sections of their offering materials and periodic reports: Risk Factors, Business, and Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A). Most of the initial cybersecurity disclosures were generic boilerplate provisions or laundry list of risks applicable to almost any company. These disclosures simply included general statements about cybersecurity risks and incidents but did not particularly disclose how these cybersecurity risks and incidents might impact the company, its management, operations, contractors, and prospects. At present, companies commonly provide detailed discussions of ongoing cybersecurity litigations and actions in their Notes to Financial Statements that are incorporated by reference in offering materials or periodic reports. This article identifies some cybersecurity-related disclosures that offer more detailed discussions of effects.

Cybersecurity Disclosures in the Risk Factor Section

Item 503(c) (17 C.F.R. § 229.503) of Regulation S-K requires a description of material risks that impact a business; how these risks affect the issuer's financial position, results of operations, and future prospects; and how an investment in the offered securities becomes speculative or riskier because of these risks. For further information, see Market Trends 2016/17: Risk Factors, Top 10 Practice Tips: Risk Factors, and Risk Factor Drafting for a Registration Statement. The disclosures should be in plain English and should not be generic. For further information on plain English, see Top 10 Practice Tips: Drafting a Registration Statement and Registration Statement and Preliminary Prospectus Preparations for an IPO. A majority of companies choose to disclose cybersecurity risks in the Risk Factor section. The nature of the disclosures varies by company, but companies that have a strong e-commerce presence or that have experienced a security breach typically provide disclosure with particularity. Companies that are subject to industry regulations on cybersecurity, such as financial service companies, may want to enhance their disclosures by discussing the relevant regulatory development on cybersecurity. When a cybersecurity breach occurs, a company typically discloses such incident together with the remedial actions the company is planning to undertake, the estimated losses arising from the breach, and if there are litigation and regulatory actions or other consequences associated with the cybersecurity breach. Some examples of cybersecurity disclosures in the Risk Factor section are set forth below.

General Disclosure on Cybersecurity Risks

  • Our business could be negatively affected by security threats.

A cyberattack or similar incident could occur and result in information theft, data corruption, operational disruption, damage to our reputation or financial loss. Our industry has become increasingly dependent on digital technologies to conduct certain exploration, development, production, processing and financial activities. Our technologies, systems, networks, or other proprietary information, and those of our vendors, suppliers and other business partners, may become the target of cyberattacks or information security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of proprietary and other information, or could otherwise lead to the disruption of our business operations. Cyberattacks are becoming more sophisticated and certain cyber incidents, such as surveillance, may remain undetected for an extended period and could lead to disruptions in critical systems or the unauthorized release of confidential or otherwise protected information. These events could lead to financial loss from remedial actions, loss of business, disruption of operations, damage to our reputation or potential liability. Also, computers control nearly all the oil and gas distribution systems in the United States and abroad, which are necessary to transport our production to market. A cyberattack directed at oil and gas distribution systems could damage critical distribution and storage assets or the environment, delay or prevent delivery of production to markets and make it difficult or impossible to accurately account for production and settle transactions. Cyber incidents have increased, and the United States government has issued warnings indicating that energy assets may be specific targets of cybersecurity threats. Our systems and insurance coverage for protecting against cybersecurity risks may not be sufficient. Further, as cyberattacks continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any vulnerability to cyberattacks." Blue Dolphin Energy Company, Form 10-K filed on March 30, 2020 (SIC 1311- Crude Petroleum & Natural Gas)

To view the full article, please click here.

Originally Published by Lexis Practice Advisor® on the 22nd of June, 2020

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.