SEC Releases Disclosure Guidance for Cyber Security Risks and Incidents
On October 13, 2011, the Securities and Exchange Commission released disclosure guidance to assist publicly traded companies “in assessing what, if any, disclosures should be provided about cyber security matters in light of each registrant’s specific facts and circumstances.” This advisory describes the SEC’s new guidance and what companies need to do to comply.
As many companies increasingly focus or rely on Internet communications and remote data storage, risks and potential costs associated with cyber attacks and inadequate cyber security are increasing. The SEC’s disclosure guidance addresses potential disclosure related to cyber security matters and reminds companies that, as with other operational and financial risks and events, they should on an ongoing basis review the adequacy of disclosure relating to cyber security risks and other cyber incidents.
The disclosure guidance provides specific direction for disclosing cyber security risks and other cyber incidents in the following sections of SEC filings:
-
Risk Factors – Companies should consider the probability that cyber incidents will occur in the future, and the potential costs and other consequences that could result. To the extent material, risk factor disclosure of potential cyber incidents may be necessary and may include aspects of a company’s operations that give rise to or mitigate these cyber risks. As a reminder, companies should not disclose “boilerplate” risks that generally apply to many public companies and should not disclose any information in a risk factor that would increase a company’s cyber security risks.
-
Management’s Discussion and Analysis (MD&A) – Companies should address cyber security risks or incidents in the MD&A if the costs or other impacts of a known cyber risk or incident represents a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, financial condition or liquidity. MD&A disclosure may be required even if a past cyber incident did not have a material effect on the company’s financial condition if the incident caused the company to materially increase its cyber security expenditures.
-
Description of Business – Companies should evaluate the impact of cyber incidents or cyber security risks on each reportable business segment. If a cyber incident or cyber security risk materially impacts a company’s (or business segment’s) relationships with customers or suppliers, or materially impacts the competitive landscape, a company should summarize the cyber risk or incident and its impact in the description of that company’s business.
-
Disclosure Controls and Procedures – Companies should evaluate the extent to which cyber incidents pose a risk to the company’s ability to record, process, summarize and report information that is required to be disclosed in SEC filings. If it is reasonably possible that information would not be properly recorded, processed, summarized or reported due to a cyber incident, a company should evaluate how cyber security risks impact the company’s disclosure controls and procedures, whether these controls and procedures are effective and whether any remedial measures are required.
-
Legal Proceedings – Any material pending legal proceeding related to a cyber incident to which a company is a party may need to be disclosed in the “legal proceedings” section.
The disclosure guidance also addresses various accounting principles that may be important when summarizing the impact of a cyber incident on the company’s financial statements. These accounting principles address:
-
costs incurred to prevent cyber incidents;
-
costs incurred to mitigate damages from a cyber incident;
-
loss contingencies related to cyber incidents;
-
impairment of certain assets; and
-
subsequent event disclosures.
The full text of the disclosure guidance, including a discussion of potentially important accounting principles, is available on the SEC’s website here.