With the ubiquitous use of information technology across all industries, and increased cyber risk as a result, the Division of Corporation Finance of the Securities and Exchange Commission (SEC) has recently released new disclosure guidance for publicly-traded companies.
While the guidance “is not a rule, regulation, or statement of the SEC," according to the CF Disclosure Guidance: Topic No. 2, it fundamentally appears designed to assist companies in addressing how and where cyber risks should be disclosed based on current SEC disclosure requirements.
The guidance specifically relates to companies preparing disclosures for an initial public offering under the Securities Act of 1933, and public companies preparing reports under the Securities Exchange Act of 1934.
Six potential areas are highlighted where obligations exist to disclose cyber risks and/or cyber incidents:
Risk factors – Similar to any risk factor, cyber risks should be disclosed by registrants if deemed significant. In determining whether or not a risk factor is “significant" and should be disclosed, cyber risks need to be evaluated within the context of the specific business. Analysis of both potential impact and likelihood of cyber risks and cyber events should be undertaken to determine if disclosure is appropriate.
The SEC specifies that risks should not be described in generic terms that would apply to any company but should be composed of information that is directly relevant to risks faced by the organization. The disclosure may include specific business factors that increase the risk of a cyber incident, outsourced functions which increase cyber risks, risks that may go unobserved for an extended period of time and any insurance coverage which could mitigate the impact of a cyber incident. Disclosure may also include an actual clear and present risk that is known to the organization.
Care must be taken to ensure that the disclosure itself does not increase the risk of a cyber incident occurring. If, for example, a registrant were to disclose in detail specific weaknesses in their IT infrastructure it could provide a road map for external threats to exploit.
Management discussion and analysis of financial condition (MD&A) – Cyber risks should, generally, only be discussed in the MD&A if a cyber incident or potential incident is "reasonably likely" to have a material effect on the registrant’s operations. This effect could take the form of current or future liquidity, financial condition, or intellectual property impacts to the entity. Potential reductions in revenues or increased costs to protect the entity should be included in the discussion.
Description of business – If, as a result of a cyber incident, there is a material impact to an entity’s fundamental products, services, or stakeholder relationships, the registrant should consider disclosure. For example, if a company that maintains confidential data for other companies were to experience a significant data breach, they would most likely need to disclose the potential impact on their business.
- Legal proceedings – As with other non-cyber related legal proceedings, material pending cyber related litigation should be considered for disclosure. Specifically, the SEC guidance states that “the registrant should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought."
- Financial statement disclosures – The costs related to cyber risks can vary substantially and come in several forms. Significant costs related to cyber risk prevention, for example, may need to be disclosed. This could include the capitalization of internal use software. The costs related to a specific cyber event would potentially need to be disclosed including payments to customers or suppliers as compensation or incentives as a result of a disruption in the relationship.
Cyber-related losses which are probable and reasonably estimable may need to be recognized as a liability. Impacts to cash flow could also raise impairment considerations. Disclosure may also be necessary subsequent to the balance sheet date if a material cyber event occurs prior to the issuance of the financial statements.
- Disclosure controls and procedures – Any material deficiencies to a company’s internal control or procedures as a result of a cyber incident may need to be disclosed. For example, if a control is found to be ineffective or has been compromised as a result of a cyber event then disclosure may be required.
For more detailed information on the disclosure guidance, visit the SEC website.