United States: SEC Issues Guidance On Disclosures By Public Companies Relating To Cybersecurity

Overview

• The SEC's Division of Corporation Finance has issued guidance to public companies about disclosing the cybersecurity measures they employ, information related to actual and potential cyber incidents, and the potential costs stemming from any such incidents.
• Public companies will need to disclose information about cybersecurity and actual or potential cyber incidents that could materially impact their operational or financial condition.

Discussion

Protecting information technology and data has become one of the most important and difficult tasks that companies must manage. The costs stemming from having a system hacked or otherwise compromised can be substantial, especially if the incident results in leaking private customer information, such as social security numbers. On October 13, 2011, the Division of Corporation Finance of the Securities and Exchange Commission (the "Division") acknowledged the importance of cybersecurity by issuing CF Disclosure Guidance: Topic No. 2 (the "Guidance"), which addresses public companies disclosing the cybersecurity measures they employ, information related to actual and potential cyber incidents (deliberate attacks or unintentional events), and the potential costs stemming from any incidents. Although the Guidance does not create any new rules or regulations, it emphasizes that cybersecurity and its ramifications are an important risk that may have to be disclosed consistent with existing securities law.

A company must strike the appropriate balance when disclosing details about a cybersecurity system. It need not provide so much information about cyber incidents and security systems that the disclosure will provide a "road map" for potential attackers, but the disclosure must be more than a generic description of a system or a cyber incident.

The Division identified that it may be appropriate to disclose information about cybersecurity under any of the following categories:

• Risk Factors – Cybersecurity risks should be disclosed if they are among the most significant factors in determining whether a company is a speculative or risky investment. This determination will be based on, among other factors, the frequency and severity of prior cyber incidents, potential qualitative and quantitative costs from the incidents, and the measures used to prevent such incidents.
• Management's Discussion and Analysis of Financial Condition and Results of Operations ("MD&A") – The MD&A should address cybersecurity to the extent a cyber incident is reasonably likely to have a material impact on a company's operations, liquidity, or financial condition or that would make it less likely that previous financial and operational performance would be indicative of future financial and operational performance.
• Description of Business – A company should disclose in this section of its SEC filings information related to a cyber incident that materially affected the company's products, services, business relationships (vendor or customer), or competitive conditions.
• Legal Proceedings – Cyber incidents may result in long and costly litigation, especially incidents involving data breaches of private customer information. If litigation stemming from such an incident is material, a company should disclose details about the litigation and the relief sought.
• Financial Statement Disclosures – Cyber incidents can impact financial statements in a variety of ways. A company must consider how to recognize losses stemming from breach of warranties and contracts, indemnification, or other similar losses and how to treat assets such as goodwill or trademarks that have impaired value because of the cyber incident. It is also important to disclose such an incident, and its estimated financial impact, if it occurred after the balance sheet date and constitutes a material nonrecognized subsequent event.
• Disclosure Controls and Procedures – If cyber incidents potentially inhibit a company's ability to record, process, summarize and report information that must be disclosed in SEC filings, a company should disclose that issue in the context of whether its disclosure controls and procedures are effective.

The principles laid out in the Guidance are not new and should not be viewed as creating additional disclosure obligations, but the Division is purposefully flagging cybersecurity as an issue that must be considered, and where appropriate, disclosed so that investors fully understand the impact cybersecurity and cyber incidents can have on a company.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.