“In the past year, there were reports of cyber thieves hacking corporate networks to steal customer data from financial services firms and retailers, intellectual property from life sciences, technology and industrial companies and information regarding the location of major oil reserve from multinational oil companies. This proliferation of cyber attacks led to … interpretive guidance on the disclosure of cybersecurity risks by public companies [from] the SEC’s Division of Corporation Finance…
[W]ith 10-Ks due soon for a number of public companies, now is the time to understand and consider the disclosure impact of this guidance.” (A Practical Guide to Implementing SEC Guidance on Disclosure of Cybersecurity Risks and Cyber Incidents by King & Spalding)
For public companies, disclosing risks to comply with Securities and Exchange Commission reporting requirements is nothing new. But disclosing cybersecurity risks might be. In anticipation of this year’s annual reporting season, here is a brief Q&A on SEC rules for reporting cyber risks and incidents in company filings:
1. What triggers disclosure?
“… There are two separate triggers for cybersecurity disclosures. First, public companies must evaluate cybersecurity risks, regardless of whether a cyber attack has occurred, and assess whether disclosure of those risks is appropriate. A second trigger for disclosure is the occurrence of specific events, including cyber attacks and other cyber incidents.” (Privacy and Data Protection 2011 Year in Review by McDermott Will & Emery)
2. Which risks should be reported?
“First and foremost, public companies must disclose the risk of cyber incidents ‘if these issues are among the most significant factors that make an investment in the company speculative or risky.’ Each registrant must evaluate both the impact prior cyber incidents have had on the company and the impact a potential cyber incident may have on the company going forward.” (Cybersecurity and the Public Company: Keeping Your Disclosures Safe and Sound After Cyber Monday by Manatt, Phelps & Phillips, LLP)
3. What should companies say?
“Cyber security risk disclosure must adequately describe the nature of the material risks and specify how each risk affects the registrant. These risks should be specific to the registrant’s business and not generic in nature. Items requiring disclosure include past security incidents, the probability for future incidents and their potential impact on both the business’s finances and reputation.” (The SEC Focuses on Cyber Security and Related Disclosure Requirements by White & Case LLP)
4. Do relationships with service providers and other third parties need to be disclosed?
Yes. “Third parties (i.e., outsourcing providers) who perform services for the company are a potential ‘break’ in the chain of control in an organization, and the SEC requires that the company consider these outsourcing arrangements as a ‘Risk Factor.’” (Financial Services Quarterly Report – Fourth Quarter 2011 by Dechert LLP)
5. What if disclosure exposes broader security risks?
“Corp Fin’s guidance notes that the federal securities laws do not require disclosures that would compromise an issuer’s cybersecurity through release of information that could invite attack or otherwise compromise network systems and defenses. At the same time, a specific incident that led, for example, to the destruction of customer data and damage to corporate systems may need to be disclosed…” (Cybersecurity Risks and Events Receive SEC Attention—Disclosure Guidance From Corp Fin by White & Case LLP)
6. Do the SEC reporting requirements supercede state reporting laws?
“… the SEC guidance makes it clear that, in addition to compliance with state data breach notification requirements, various existing SEC requirements may necessitate additional disclosure of a data breach incident or its aftereffects in a business entity’s public filings. Business entities must therefore not only follow the letter of each state’s notification laws, but also consider whether and how each data breach incident should be disclosed in their regular public filings.” (Recent SEC Guidance and Upcoming Amendments to California and Illinois Statutes Affect Data Breach Disclosure Obligations by Morgan Lewis)