The SEC released a guidance document on October 13, 2011, which set forth the views of the Division of Corporation Finance regarding disclosure obligations relating to cybersecurity risks and incidents. Even though there is no disclosure requirement specific to cybersecurity risks and incidents, information about such incidents and their effects may need to be disclosed because they impact other matters. Therefore, the guidance document provides an overview of specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents. For each of the six areas of disclosure obligations discussed, as set forth below, the SEC provided examples of when disclosure may be appropriate.
(1) Risk Factors: “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” According to the document, examples of appropriate disclosures include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
(2) MD&A: “Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”
(3) Description of Business: “If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s ‘Description of Business.’”
(4) Legal Proceedings: “If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its “Legal Proceedings” disclosure.”
(5) Financial Statement Disclosures: “Cybersecurity risks and cyber incidents may have a broad impact on a registrant’s financial statements, depending on the nature and severity of the potential or actual incident.”
(6) Disclosure Controls and Procedures: “Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures.”
It is important to note that the guidance is not a rule, regulation, or statement of the SEC, and the SEC has not approved or disapproved its content.