In a Rare Move, SEC Issues Guidance on Cybersecurity Risks
The Securities and Exchange Commission has put public companies on notice of the significant risks relating to cybersecurity and has indicated that unmitigated exposure to cyber incidents should not be ignored in public disclosures. The SEC’s Division of Corporate Finance issued a Disclosure Guidance addressing disclosure obligations related to cybersecurity risks and cyber incidents.
The SEC does not often target such a specific area of corporate vulnerability for disclosure, but the move is not all that surprising in light of the increased frequency and severity of cyber incidents resulting in extraordinary costs to public companies and their shareholders. Although not a rule or a regulation, the Guidance clearly states the SEC’s position that several existing disclosure requirements already impose an obligation on public companies to disclose certain cybersecurity risks and cyber incidents, just as a company would need to with any other significant operational or financial risk.
Existing disclosure requirements
The Guidance highlights the following five specific disclosure obligations that may require the inclusion of cybersecurity risks and cyber incidents:
• risk factors
• legal proceedings
• management discussion and analysis (MD&A) of financial condition and results of operations
• description of business
• financial statement disclosures
Even in the absence of a previous cyber incident, the Guidance indicates that the SEC expects all public companies to evaluate and assess cybersecurity risks. As part of this evaluation, public companies are advised to consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from cyber incidents. Public companies also may consider the adequacy of preventative actions taken to reduce cybersecurity risks in mitigation of those risks.
Depending on the result of this evaluation, disclosure of cybersecurity risks may be required to provide investors with sufficient information to appreciate the nature and extent of the risks faced by a public company. The Guidance provides the following examples of appropriate disclosures:
• Discussion of aspects of the public company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the public company outsources functions that have material cybersecurity risks, description of those functions and how the public company addresses those risks;
• Description of cyber incidents experienced by the public company that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.
Ongoing lawsuits related to cybersecurity and cyber incidents, which are rapidly increasing in number due to new and evolving statutory enactments nationwide, should be included in the company’s “Legal Proceedings” disclosure. The Guidance notes, as an example, that if a significant amount of customer information is lost or stolen and results in litigation, the company should disclose where it is pending, the date instituted, the principal parties thereto, a description of the factual basis alleged, and the relief sought.
Management Discussion and Analysis (MD&A) of financial condition and results of operations
The Guidance also provides that public companies should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents, or the risk of potential incidents, represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the public company’s results of operations, liquidity or financial condition.
Description of business
If one or more cyber incidents materially affect a public company’s products, services, relationships with customers or suppliers, or competitive conditions, the Guidance states the public company should provide disclosure in its “Description of Business.” For example, if a company’s new product is in development and its future viability is materially impaired, the company should discuss the incident and its potential impact.
Financial statement disclosures
The Guidance emphasizes the effect cyber incidents may have on a company’s financial statements, depending on the nature and severity of the potential or actual incident. Substantial costs and liabilities such as warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue all should be reflected in a company’s financials. In addition, if a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, the Guidance suggests companies should consider whether disclosure is necessary and whether any estimates as to financial effect should be made.
What the Guidance means for public companies
Public companies that ignore the substantial and prevalent risks associated with cybersecurity do so at their own peril, and the Guidance is just the latest reminder of this fact. The SEC clearly expects all public companies, not just those in certain industries, to proactively evaluate cybersecurity risks and assess in very real terms the consequences of a cyber incident to a company’s bottom line. The Guidance also highlights the critical need for public companies to have comprehensive cybersecurity policies, including preventative measures and cyber incident response plans. Without such precautionary measures, cybersecurity risks will be viewed as unmitigated and, according to the Guidance, disclosure of this vulnerability may be required.