On October 13, 2011, the Division of Corporation Finance of the U.S. Securities and Exchange Commission (SEC) issued "CF Disclosure Guidance: Topic No. 2 – Cybersecurity" (the Guidance), available at www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm , regarding a public company's obligation to make certain disclosures concerning cybersecurity risks and cyber incidents. Although the Guidance is not a rule, regulation or statement of the SEC, public companies should nevertheless ensure that their disclosures and their disclosure controls and procedures comply with the Guidance to the extent applicable to their material cybersecurity risks and any cyber incidents.
The Guidance notes there are two separate triggers for cybersecurity disclosures. First, public companies must evaluate cybersecurity risks, regardless of whether a cyber attack has occurred, and assess whether disclosure of those risks is appropriate. A second trigger for disclosure is the occurrence of specific events, including cyber attacks and other cyber incidents. This could mean disclosing information about material investigation costs and other effects, such as when a cyber attack or breach could expose a company to a lengthy government investigation or costly third-party claims, cause significant business interruption and result in lost revenues and impairment of certain assets, undermine the value of services, harm reputation or lead to substantial costs of remediation.
The Guidance describes in further detail the Staff's expectations regarding how and when companies should make specific types of disclosures, including in the financial statements and in the Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Description of Business and Legal Proceedings sections of annual and quarterly reports.
In the wake of this Guidance, an uptick in public company disclosures will likely occur in this area, with respect to both specific cyber incidents that have occurred and risks that such an incident might occur. As with any other risk, the SEC cautions that such disclosure "should be tailored to [the issuer's] particular circumstances and [should] avoid generic 'boilerplate' disclosure." A company is not required to give a roadmap of its weaknesses, but it may have to disclose if it has a particular weakness given its business model. As a result, companies must balance carefully the need to make a disclosure with the need to protect their cybersecurity vulnerability. Although the SEC cautions against boilerplate disclosures, common themes are likely to emerge nevertheless in cybersecurity disclosures made in issuers' SEC filings in the industries and sectors where cybersecurity issues are most prevalent.
To read "Privacy and Data Protection 2011 Year in Review" in full, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
