SEC Issues Cybersecurity Disclosure GuidanceNovember 17, 2011
As companies increasingly rely on digital technologies and networks to conduct their operations, the risks to companies associated with cybersecurity  have increased, resulting in more frequent and severe cyber incidents. The Division of Corporation Finance of the United States Securities and Exchange Commission (the “SEC”) addressed this trend on October 13, 2011 by issuing guidance (the “Disclosure Guidance”) regarding the disclosure obligations of public companies relating to cybersecurity risks and cyber incidents. Mindful that detailed disclosures could compromise cybersecurity efforts (by providing a “roadmap” for outsiders to infiltrate a public company’s network), the SEC emphasized that such disclosures are not required under federal securities laws.
Cyber attacks include gaining unauthorized access to digital systems to misappropriate assets or sensitive information, to corrupt data, or to cause operational disruption. Cyber attacks may also be carried out in ways that do not require gaining unauthorized access, such as by causing denialof-service attacks on websites. The objectives of cyber attacks vary and include theft of financial assets, intellectual property, or other sensitive information belonging to companies, their customers, or business partners. Companies that fall victim to successful cyber attacks may incur substantial costs and suffer significant consequences, such as remediation costs, liability for stolen assets or information, increased future cybersecurity protection costs, lost revenues, litigation, and reputational damage.
The federal securities laws are designed to elicit disclosure of information about risks and events that a reasonable investor would consider important when making an investment decision. Although these requirements do not explicitly refer to cybersecurity risks or cyber incidents, several disclosure requirements may obligate public reporting companies (“registrants”) to disclose such risks and incidents. Disclosure of material information regarding cybersecurity risks and cyber incidents may also be required when necessary to make other disclosures not misleading. The SEC issued the Disclosure Guidance to assist registrants in determining what, if any, disclosures should be provided about cybersecurity risks and incidents. The following provides an overview of specific disclosure obligations that may warrant discussion of cybersecurity risks and cyber incidents.
Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Registrants must evaluate their cybersecurity risks and take into account all available relevant information, including prior cybersecurity incidents and the severity and frequency of those incidents. Registrants must consider the probability of cyber incidents occurring and the magnitude of those risks, including the potential costs and resulting consequences. To evaluate whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventive actions taken to reduce cybersecurity risks, in the context of the industry in which they operate, and risks to that security, including threatened attacks. Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures, cybersecurity risk disclosure must adequately describe the nature of material risks and specify how each risk affects the registrant. Generic presentation of risks that could apply to any issuer or any offering is insufficient. Depending on the registrant’s particular circumstances, and to the extent material, appropriate disclosures may include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
A registrant may have to disclose known or threatened cyber incidents to provide context for discussion of cybersecurity risks. Of course, disclosures which would compromise a registrant’s cybersecurity are not required, but registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant.
MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS (“MD&A”)
Registrants should address cybersecurity risks and cyber incidents in their MD&A if such issues have had or are reasonably likely to have a material effect on the registrant’s operations, liquidity, or financial condition. For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen, the effect on future revenues, any increased cybersecurity protection costs, and any resulting litigation.
DESCRIPTION OF BUSINESS
If a cyber incident materially affects a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s “Description of Business” section. For example, if a registrant learns of a cyber incident relating to a new product in development, the registrant should discuss the incident and the potential impact, to the extent material.
If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding the litigation in its “Legal Proceedings” disclosure. This disclosure would include the name of the court in which the proceedings are pending, the date the litigation was instituted, the principal parties to the litigation, a description of the factual basis alleged, and the relief sought.
FINANCIAL STATEMENT DISCLOSURES
Cybersecurity risks and cyber incidents may impact a registrant’s financial statement disclosures. Prior to a cyber incident, registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (“ASC”) Topic 350-40.
Upon a cyber incident, registrants may seek to mitigate damages using customer incentives. ASC Topic 605-50 addresses the recognition, measurement, and classification of these incentives. Cyber incidents may result in losses from asserted and unasserted claims related to warranties, breach of contract, product recall and replacement, and indemnification of counterparties. ASC Topic 450-20 addresses when to recognize such losses, as registrants must provide certain disclosures of losses that are reasonably possible.
Cyber incidents may also result in the impairment of certain assets, such as goodwill, customer-related intangible assets, trademarks, patents, capitalized software, inventory, or other long-lived assets associated with hardware or software. Occasionally registrants will estimate these impairments. Registrants will have to disclose the risk of a reasonably possible material change in such estimates in the near term in accordance with ASC Topic 275-10.
In instances when a cyber incident is discovered after a balance sheet date but before the issuance of financial statements for that period, and the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, in accordance with ASC Topic 855- 10.
DISCLOSURE CONTROLS AND PROCEDURES
To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information required to be disclosed in SEC filings, management should consider whether there are any deficiencies in the disclosure controls and procedures that would have reasonable possibility of causing information to not be recorded properly due to a cyber incident affecting a registrant’s information systems.
The Disclosure Guidance indicates that the SEC is increasingly focused on cybersecurity issues, especially as they relate to mandatory disclosures under the federal securities laws. As a result, registrants should review, on an ongoing basis, the adequacy of their disclosures relating to cybersecurity risks and cyber incidents.