SEC Focus

The Securities and Exchange Commission (SEC) has been focused on cybersecurity issues for over a decade, tracing back to its initial guidance on this topic in 2011. On October 16, 2018, the SEC released a report pursuant to Section 21(a) (15 U.S.C. § 78u) of the Securities Exchange Act of 1934, as amended (the Exchange Act) detailing its investigation of several public companies that were victims of cybersecurity-related frauds. See Release No. 84429, available here. While the SEC decided not to pursue enforcement actions against these companies, it emphasized the duty of a public company to comply with the requirements of Section 13(b)(2)(B) (15 U.S.C. § 78m) of the Exchange Act to devise and maintain a sufficient system of internal accounting controls.

On December 6, 2018, former SEC Chairman Jay Clayton, in a speech, highlighted cybersecurity risks as one of the prominent challenges the SEC faces. Former Chairman Clayton reiterated the SEC's statement and interpretive guidance regarding disclosures on cybersecurity risks and incidents issued earlier in 2018 (2018 Guidance).

Under the 2018 Guidance, public companies are required to disclose cybersecurity risks and cyber incidents to the extent that these are material. In evaluating whether cybersecurity risks or incidents are material, a public company should consider, among other things, the nature and magnitude of cybersecurity risks or prior incidents; the actual or potential harms of a cyber breach to the company's reputation, financial condition, or business operation; the legal and regulatory requirements to which the company is subject; the costs associated with cybersecurity protection, including preventive measures and insurance; and the costs associated with cybersecurity incidents, including remedial measures, investigations, responding to regulatory actions, and addressing litigation.

Once cybersecurity risks and incidents are determined to be material, a public company should provide complete and accurate information in its periodic reports regarding these risks, incidents, and related investigations or litigation.

Public companies generally include cybersecurity-related disclosures in the following sections of their offering materials and periodic reports: Risk Factors, Business, and Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A). Most of the initial cybersecurity disclosures were generic boilerplate provisions or laundry lists of risks applicable to almost any company. These disclosures simply included general statements about cybersecurity risks and incidents but did not particularly disclose how cybersecurity risks and incidents might impact the company, its management, operations, and prospects. At present, companies commonly provide detailed discussions of ongoing cybersecurity litigations and actions in their notes to financial statements that are incorporated by reference in offering materials or periodic reports. This practice note identifies some cybersecurity-related disclosures that offer more detailed discussions of effects.

For further information on public company disclosure in general, see Top 10 Practice Tips: Periodic and Current Public Company Reporting, Public Company Periodic Reporting and Disclosure Obligations, and Periodic and Current Reporting Resource Kit.

Other SEC Activity on Cybersecurity

On January 27, 2020, the SEC's Office of Compliance Inspections and Examinations (OCIE) issued a report of observations arising from OCIE's examinations on how various broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants manage cybersecurity risks and enhance operational resiliency. The report is available at this link. OCIE classified its cybersecurity practices into seven categories: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.

On July 10, 2020, the SEC issued a risk alert on ransomware. See Cybersecurity: Ransomware Alert, available at this link. Ransomware is a type of malware which infiltrates a company's electronic systems and denies the company access until it pays a ransom. The alert identified techniques used by such hackers and mitigation strategies that companies may take (including, among others, training and awareness of the threat).

Cybersecurity Disclosures in the Risk Factors Section

Item 105 (17 C.F.R. § 229.105) of Regulation S-K requires a description of material risks that impact a business; how these risks affect the issuer's financial position, results of operations, and future prospects; and how an investment in the offered securities becomes speculative or riskier because of these risks. For further information, see Market Risk Factors, and Risk Factor Drafting for a Registration Statement. The disclosures should be in plain English and should not be generic. For further information on plain English, see Top 10 Practice Tips: Drafting a Registration Statement and Glossaries in Prospectuses and Annual Reports-Background.

A majority of companies choose to disclose cybersecurity risks in the Risk Factors section. The nature of the disclosures varies by company, but companies that have a strong e-commerce presence or that have experienced a security breach typically provide disclosure with particularity. Companies that are subject to industry regulations on cybersecurity, such as financial services companies, may want to enhance their disclosures by discussing the relevant regulatory developments on cybersecurity. When a cybersecurity breach occurs, a company typically discloses such incident, together with the remedial actions the company is planning to undertake, estimated losses arising from the breach, and whether there are litigation and regulatory actions or other consequences associated with the cybersecurity breach. For a further discussion on cybersecurity disclosure, see Media & Entertainment Industry Guide for Capital Markets. Set forth below are some examples of cybersecurity disclosures in the Risk Factors section.

General Disclosure on Cybersecurity Risks

  • "TEC is exposed to potential risks related to cyberattacks and unauthorized access, which could cause system failures, disrupt operations or adversely affect safety

    TEC increasingly relies on information technology systems and network infrastructure to manage its business and safely operate its assets, including controls for interconnected systems of generation, distribution and transmission and financial, billing and other business systems. TEC also relies on third party service providers to conduct business. As TEC operates critical infrastructure, it may be at greater risk of cyberattacks by third parties, which could include nation-state controlled parties.

To read the full article click here

Originally Published by Practical Guidance

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.