Cybersecurity is a critical issue for business for a variety of reasons, including the increasing focus by the SEC on this issue. The Division of Corporate Finance released guidance on Cybersecurity and the potential reporting implications of cyber incidents.[1] Noting the increasing role of digital technologies, the Division noted that the risks associated with cybersecurity have also increased. These risks include DDOS attacks, theft of intellectual property, economic espionage, and the disruption of business operations, among other risks. These risks can result in costs and other negative consequences, including:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
In light of these risks, the Division recommended certain cybersecurity disclosures for companies that are subject to its regulatory sweep, though it noted that there are no express cybersecurity disclosure requirements currently in place. One of the issues that the Division identified was disclosures for cyber issues under the risk factor disclosure. Consistent with the requirements of S-K Item 503(c), the Division believed that cybersecurity disclosures could be appropriate if there were material risks to the company, and the disclosure should include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
MD&A was also a topic the Division addressed, as it believed that disclosures could be appropriate if there are costs or other consequences associated with one or more cyber incidents that could present a material event, trend or uncertainty that could have a material effect on the company’s operations. This includes the theft of material intellectual property, and there were specific disclosures suggested regarding these issues, including disclosures regarding revenue reduction.
Description of business disclosures can also be implicated, according to the Division, if a cyber incident materially impacts a registrant’s products, services or relationships with its customers, suppliers, or competitive conditions. Legal proceedings were also an area where disclosure could be appropriate, as were a company’s financial statement disclosures. There are other potential implications of cybersecurity incidents for public companies that are described in the guidance, and care should be taken to appropriately factor these issues into any corporate disclosures.
[1] http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm, last visited November 14, 2012.