Visit our Capital Markets Blog for the latest news and developments.
On February 21, 2018, the Securities and Exchange Commission (the SEC) issued interpretative guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.1 The guidance refreshes previous staff guidance,2 adds emphasis by being a statement of the Commission and addresses new topics. The SEC guidance details how public companies should disclose cybersecurity events that represent a material risk to their investors. The SEC also emphasizes the importance of timely disclosing to senior management cybersecurity risks and incidents. In addition, the SEC suggests ways a company can prevent insider trading, such as by creating a blackout in trading following a cybersecurity event. Finally, the SEC cautions companies to avoid selective disclosure. We summarize below the new guidance, the SEC’s previous staff guidance and our takeaways.
|Item 503(c) – Risk Factors
Companies should consider the following to determine whether disclosure of cybersecurity risks is necessary:
If a company has experienced a specific cybersecurity incident, it may not be enough to disclose the potential risk of another incident occurring. The company should discuss in further detail the occurrence and its consequences, alongside a broader discussion of cybersecurity risks inherent in the company’s business or industry.
|Item 303 – MD&A of Financial Condition and Results of Operation
||In disclosing information the company’s management believes necessary to understanding its financial condition and results of operations, management may want to consider whether the costs of cybersecurity (such as loss of IP, reputational harm, and cybersecurity insurance) and the potential risks and consequences of an incident could further inform management’s discussion and analysis. In addition, the SEC expects companies to consider cybersecurity issues and their impact on each of the company’s reportable segments.
|Item 101 – Description of Business
The SEC expects companies to discuss cybersecurity incidents or risks if it would materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions.
|Item 103 – Legal Proceedings
Any litigation arising out of a cybersecurity incident must be properly disclosed. For example, if a company is hacked and all of its customers’ information is stolen, the company must disclose any material litigation, including suits brought by the affected customers against the company.
|Financial Statement Disclosures
||A company’s financial reporting and controls system should be designed so that information relating to the financial impact of a cybersecurity incident is reflected on the financial statements in a timely manner. For example, an operational event such as a hack could result in a possible loss contingency requiring financial statement accrual or disclosure.
|Item 407(h) – Board Risk Oversight
||If cybersecurity risks are material to the company’s business, the discussion on the Board’s risk oversight should include a discussion on the Board’s role in overseeing cybersecurity risks.|
Those public companies that have a cybersecurity disclosure policy in place should review and update that policy, having in mind that cybersecurity incidents are becoming more and more common and that increased attention by the SEC and others on cybersecurity disclosure is assured. In addition to disclosure and governance considerations, companies should continue to treat the subject of cybersecurity as a critical operational issue deserving of focused attention.
1 SEC Rel. Nos. 33-10459; 34-82746, located here.
2 CF Disclosure Guidance Topic No. 2, Cybersecurity located here
3 Public companies are required to maintain effective disclosure controls and procedures pursuant to Exchange Act Rules 13a-15 and 15d-15.4 https://www.law360.com/articles/1014661/new-sec-cybersecurity-guidance-dinged-by-dems-as-rehash
Sign up for our newsletter and get the latest to your inbox.