Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

The SEC released a guidance <a href="http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm#_edn8">document</a> on October 13, 2011, which set forth the views of the Division of Corporation Finance regarding disclosure obligations relating to cybersecurity risks and incidents.&nbsp; Even though there is no disclosure requirement specific to cybersecurity risks and incidents, information about such incidents and their effects may need to be disclosed because they impact other matters.&nbsp; Therefore, the guidance document provides an overview of specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents.&nbsp; For each of the six areas of disclosure obligations discussed, as set forth below, the SEC provided examples of when disclosure may be appropriate.
(1)&nbsp;&nbsp; Risk Factors: &ldquo;Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.&rdquo;&nbsp; According to the document, examples of appropriate disclosures include:
<ul>
<li>Discussion of aspects of the registrant&rsquo;s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; </li>
<li>To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks; </li>
<li>Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; </li>
<li>Risks related to cyber incidents that may remain undetected for an extended period; and </li>
<li>Description of relevant insurance coverage. </li>
</ul>
(2)&nbsp;&nbsp; MD&amp;A: &ldquo;Registrants should address cybersecurity risks and cyber incidents in their MD&amp;A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant&rsquo;s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.&rdquo;
(3)&nbsp;&nbsp; Description of Business: &ldquo;If one or more cyber incidents materially affect a registrant&rsquo;s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant&rsquo;s &lsquo;Description of Business.&rsquo;&rdquo;
(4)&nbsp;&nbsp; Legal Proceedings: &ldquo;If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its &ldquo;Legal Proceedings&rdquo; disclosure.&rdquo;
(5)&nbsp;&nbsp; Financial Statement Disclosures: &ldquo;Cybersecurity risks and cyber incidents may have a broad impact on a registrant&rsquo;s financial statements, depending on the nature and severity of the potential or actual incident.&rdquo;&nbsp;
(6)&nbsp;&nbsp; Disclosure Controls and Procedures: &ldquo;Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures.&rdquo;&nbsp;
It is important to note that the guidance is not a rule, regulation, or statement of the SEC, and the SEC has not approved or disapproved its content.

SEC Provides Guidance on Cybersecurity Disclosure Obligations