The Securities and Exchange Commission’s Division of Corporate Finance provided guidance to public companies on October 13, 2011, about their disclosure obligations concerning cybersecurity risks and cyber incidents. The Division is careful to point out that federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. So, while this guidance does establish new obligations for registrants, it seeks to help them understand their existing disclosure obligation as they relate to increasing cyber risks.
The guidance summarizes the kinds of attacks that may raise concerns:
- unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption;
- causing denial-of-service attacks on websites; or
- third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.
Concerning the disclosure obligation, the Division observes:
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
In determining whether risk factor disclosure is required, including whether to include cybersecurity risks and cyber incidents in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), registrants will need to consider all of the facts and circumstances, such as:
- prior cyber incidents;
- severity and frequency of those incidents;
- the probability of cyber incidents occurring;
- the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption;
- the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware; and
- the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
At the same time, the Division does not expect a registrant will make a disclosure that itself would compromise the registrant’s cybersecurity.
As cybersecurity risks continue to grow and cyber incidents become more widespread, all companies need to assess and address these risks. For public companies, this is even more critical given their reporting requirements.