United States: Navigating The SEC's Cybersecurity Guidance

The Securities Exchange Commission has joined a growing number of regulatory agencies in expressing interest in cybersecurity issues. As the foremost regulator of public companies, the SEC has a broad jurisdictional reach and enforcement powers that many other agencies lack. While no detailed regulations have been enacted, the SEC has issued guidance noting that cybersecurity issues should be disclosed as risk factors to the extent they are significant under Regulation S-K.

However, many organizations lack the procedural and technical frameworks necessary to identify key information assets and significant risks to the organization that should be disclosed under Regulation S-K. This White Paper highlights the critical aspects of the SEC's cybersecurity guidance and how directors can maintain compliance and reduce shareholder risk.


Cybersecurity is an increasingly major issue affecting every element of the publicly traded markets. The value of investor holdings is directly impacted by risk affecting digital assets.

On October 13, 2011 the Division of Corporation Finance at the Securities and Exchange Commission (SEC) issued non-rule, non-regulation, non-statement guidance regarding disclosure obligations relating to cyber security risks and cyber incidents.1 The guidance notes that securities laws are designed to elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision and cyberscurity risks and events are not exempt from these requirements. Disclosures of cybersecurity risks and events may also be necessary to prevent other required disclosures from being misleading.

The SEC cybersecurity guidance identifies six areas where cybersecurity disclosures may be necessary under Regulation S-K: 1) Risk Factors; 2) Management's Discussion and Analysis of Financial Condition and Results of Operation (MD&A); 3) Description of Business; 4) Legal Proceedings; 5) Financial Statement Disclosures; and 6) Disclosure Controls and Procedures.

Material cybersecurity risks should be disclosed and adequately described as risk factors. Where cybersecurity risks and incidents that represent a material event, trend or uncertainty reasonably likely to have a material impact on the organization's operations, liquidity or financial condition it should be addressed in the MD&A. If cybersecurity risks materially affect the organizations products, services, relationships with customers or suppliers, or competitive conditions, organizations should disclose such risks in its description of business. Data breaches or other incidents can result in regulatory investigations or private actions that are material and should be discussed in the Legal Proceedings section. Cybersecurity risks and incidents that represent substantial costs in prevention or response should be included in Financial Statement Disclosures where the financial impact is material. Finally, where a cybersecurity risk or incident impairs the organization's ability to record or report information that must be disclosed, Disclosure Controls and Procedures may be ineffective and subject to disclosure.

While the SEC has not yet explicitly promulgated cybersecurity rules, securities regulators have clearly indicated that they consider cybersecurity a key issue for public companies and investors.

The SEC and Current Cybersecurity Challenges

Digital assets represent an ever-growing percentage of the total value of organizations. Organized crime and nation-state actors, often in the form of Advanced Persistent Threats, are becoming more active and more sophisticated in targeting assets that can be economically profitable. Breaches are becoming everyday events, with malicious attackers becoming the most predominant source. According to Verizon's 2013 Data Breach Investigations Report, 92% of breaches were perpetrated by outside actors, and 75% were driven by financial motives.2 As these threats grow, many organizations are lagging behind in identifying key digital assets and ensuring that they are adequately protected.

In addition, while board members increasingly acknowledge that they must take a role in cybersecurity issues, most lack the knowledge and experience to know the appropriate role for the board in overseeing protection of digital assets.

Listed below are three areas of focus where boards and senior management can minimize cybersecurity risks to the organization include:

  • Be Prepared – the Rapidly Changing Environment. Ensure that the organization has appropriate frameworks in place for mitigating cybersecurity risks. Specific areas to address include:

    • Identify key digital assets that, if compromised, could cause significant damage to the organization.
    • Investigate the organization's policies and processes for protecting the identified assets and whether current controls adequately address the risk. Policies and procedures should be documented and continuously reviewed for effectiveness and revised when necessary.
    • Ensure the organization is exercising diligence over third parties providing critical services, including cross-border service providers.
  • Act at Market Speed – Focusing on Investor Protection. Incident Response Planning is key in responding to a cybersecurity incidents and data breaches. The organization should have in place a defined and documented process for the end to end management of security incidents and data breaches.
  • Know What is Happening – Helping Thwart Cybercrime. The sophisticated capabilities of malicious adversaries, such as Advanced Persistent Threats, demand diligence at all levels of the organization. Defenses, including technical measures, policies and procedures, and training, should address risks throughout the organizations business process flow. The organization should have a framework in place to monitor and identify cybersecurity incidents and potential breaches and continuously monitor and improve.

Be Prepared – the Rapidly Changing Environment

Preparation is the most critical single aspect of complying with SEC guidance and protecting shareholder value. Organizations must identify their critical digital assets and the risks that impact them. Without understanding what assets within the organization are most valuable, it is impossible to determine whether cybersecurity resources are appropriately prioritized.

Identifying critical assets must involve senior management and board input on strategic direction and relative value of critical assets and strategic risks. For example, the board should review management's valuation and prioritization of assets and discuss the strategic impact of identified risks. The board and senior management should ensure that the organization has instituted a documented risk management program that incorporates cybersecurity as a risk source. Cybersecurity risks that are among the most significant factors that may make an investment risky or speculative should be disclosed.

Another key area of oversight is the organization's policies and procedures. Nearly every key business process involves the input, storage, processing and output of digital information. These key business processes should be documented and periodically reviewed and updated as necessary to ensure that critical digital assets are secure. Diligence in implementing and documenting policies and procedures can help prevent legal issues stemming from cybersecurity incidents and curtailing claims that are filed by demonstrating compliance and reasonable security practices. Independent assessments should be used as appropriate to validate internal controls against applicable regulations and industry best practices.

Third party service providers and partners are a major source of organizational risk. Critical digital assets and responsibilities are often delegated outside the organization where oversight and control is limited. Boards and senior management should ensure that the organization has implemented a program for managing third parties with access to critical digital assets. The program should identify third parties with access to critical digital assets and implement appropriate controls through contractual or other obligations to ensure that the organization's digital assets are adequately protected. To the extent third parties are heavily relied upon for critical business processes, cybersecurity may be a significant risk factor that should be disclosed.

Acting at Market Speed – Focusing on Investor Protection

Cybersecurity incidents are inevitable for even the most diligent organizations. Information systems and business processes are too complex and change too rapidly for defenses to keep pace with cybersecurity threats. Organizations must develop response capabilities to contain and limit the effect of incidents that do occur.

Boards and senior management should ensure that the organization has a defined and documented incident response program that incorporates technical, business and legal stakeholders. The incident response program should be tested at least annually and the program should be reviewed and improved as necessary after each incident or test. Boards and senior management should be informed of significant cybersecurity incidents and breaches and ensure that appropriate remedial measures are taken to prevent similar incidents from recurring.

Speed and efficiency in responding to incidents and breaches can significantly affect the impact of the cybersecurity event on an organization. An effective incident response program can make the difference between containing a breach to a minor event and having the breach escalate into a major issue or legal claims that must be disclosed under Regulation S-K.

Know What is Happening – Helping Thwart Cybercrime

Malicious actors are rapidly increasing in sophistication and motivation. Gone are the days of teenagers in dorm rooms hacking for the challenge or notoriety. Attackers today have substantial financial or political motivation and select specific targets rather than targets of opportunity. The sophistication and skill of attackers is shown in the 2013 Verizon Data Breach Investigation Report, which found that 66% of malicious attacks operated in the organization for at least four months before being detected.3

Organizations must deploy detection and identification capabilities and diligently monitor activity within their networks. Boards and senior management should investigate the organization's detection capabilities and whether they are appropriate relative identified risks. Independent evaluation is essential to avoid overlooking incorrect assumptions and inadvertent bias in internal reviews.

Internal monitoring leverages preparation and incident response programs to limit the potential impact of cybersecurity incidents. Malicious attacks must be detected before an incident response plan can be initiated, and earlier detection limits the damage from intrusions. Detection capabilities also indicate what threats are not being mitigated by technical controls, policies and procedures, and detected incidents should be reviewed and used as an input into the continuous improvement cycle for cybersecurity controls.


1. See http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm ("SEC Guidance")

2. See 2013 Verizon Data Breach Investigations Report, available at http://www.verizonenterprise.com/DBIR/2013/, at 5-6.

3. Verizon Data Breach Investigations Report at 52.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
22 Jan 2019, Seminar, San Francisco, United States

Dentons is pleased to offer a full day of classes, just in time for the California MCLE compliance period deadline of January 31, 2019.*

23 Jan 2019, Seminar, Los Angeles, United States

Dentons is pleased to offer a full day of classes, just in time for the California MCLE compliance period deadline of January 31, 2019.*

24 Jan 2019, Other, New York, United States

Join Dentons’ Health Care Partner Lori Mihalich-Levin and White Collar & Government Investigations Counsel Christine Genaitis as they lead conference sessions at AHLA Academic Medical Centers and Teaching Hospitals Institute.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions