Guidelines for cybersecurity disclosures from the SEC
On behalf of Law Office of Clifford J. Hunt, P.A. posted in General on Wednesday, April 4, 2018.
The Securities and Exchange Commission unanimously voted to adopt cybersecurity interpretive guidance. Designed to assist public companies in preparing disclosures, the guidelines encourage robust disclosure regarding risks and incidents. In addition to information about lawful disclosure obligations, the guidance addresses the importance of company policies and procedures for cybersecurity threats.
The rise of cyber threats
As companies rely on digital infrastructure to provide financial and investment services, the investing public expects the infrastructure to be reliable and secure. But headline grabbing stories about data breaches continue to plague the digitally connected world.
Cyber attacks include the use of phishing, malware and stolen credentials. The objectives vary but can include the theft or destruction of digital assets and sensitive information. A more heinous goal is to disrupt business operations. Businesses that are victims of successful cyber attacks incur reputational damage and financial costs.
The existing SEC guidance does not address cybersecurity incident disclosure explicitly. However, the guidelines highlight seven areas where disclosure could apply to cybersecurity risks and incidents.
Materiality: Companies need to disclose information about the business operations and risk factors. Omission or misleading information is a disclosure violation.
Risk factors: Businesses must disclose significant factors that make investments speculative or risky. When deciding what to include companies should consider the severity and frequency of prior cybersecurity incidents and steps taken to reduce cybersecurity risks.
Financial condition: Companies must discuss changes in financial condition, including events that would have a material effect on operation results or financial condition. Disclosures related to cybersecurity would include costs of cybersecurity efforts and incidents.
Business description: Businesses must disclose cybersecurity incidents that impact products and services or relationships with customers and vendors.
Legal proceedings: Companies are required to disclose information about any legal proceedings they, or their subsidiaries, are part of. This includes disclosure of legal proceedings involving cybersecurity issues.
Financial statements: Any expenses related to cybersecurity issues should be disclosed. This would include expenses from investigations and remediation, lost revenue and diminished cash flow.
Board risk oversight: The guidance requires businesses to disclose a board’s role in risk oversight, including a description about risk oversight administration.
Increased cybersecurity risks threaten our reliance on networked systems. However, clear and willful disclosure is critical. Companies should inform investors about risks and incidents in a timely manner.