Yesterday the Division of Corporation Finance issued informal disclosure guidance detailing the staff’s views on disclosure obligations related to cybersecurity risks and cyber incidents.
This, the Division’s second issuance of such informal disclosure guidance, is most likely in response to a letter that Senator Rockefeller penned to Chairman Schapiro back in May. The Senator specifically requested that the Commission issue interpretive guidance on cybersecurity disclosures, and, in her response letter, Chairman Shapiro promised to seriously consider it.
Perhaps coincidentally, the guidance also coincides with President Obama’s proclamation of October 2011 as National Cybersecurity Awareness Month.
Cyber Incidents and Their Effects
Beginning with a general discussion of cyber incidents, the guidance notes that there has been an increase in focus on incidents that include:
- gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data and causing operational disruptions (e.g., the recent cyber attacks on EMC Corp.’s RSA unit, which cost the company $66 million in Q2); and
- denial of service-type attacks (e.g., the Visa and MasterCard denial of services attacks that took place last year).
Among other things, cyber incidents like these have caused companies to incur:
- remediation costs, including, for example, costs associated with liability for misappropriated assets or information, and costs related to incentives offered to maintain customer or partner relationships;
- increased cybersecurity costs;
- revenue losses;
- litigation costs; and
- reputational damage.
The Disclosure Guidance
The guidance notes that when assessing whether and to what extent cybersecurity risk and cyber incident disclosures are required, a company should consider both the materiality of the information and the applicability of the antifraud provisions of the federal securities laws.
It then goes on to review existing disclosure requirements that may trigger cybersecurity risk and cyber incident disclosures. It covers risk factors, financial statements and management’s discussion and analysis of financial conditions and results of operations the most extensively, but also touches on disclosure controls and procedures, a company’s description of business and legal proceeding disclosures.
Beginning with risk factors the guidance reiterates the requirements of Item 503 of Regulation S-K and notes that disclosure of cybersecurity risk is required if cyber incidents are “among the most significant factors that make an investment in the company speculative or risky.” In making such a determination a company should take into consideration all relevant information, including:
- the occurrence of prior cyber incidents;
- their severity and frequency;
- the probability of future cyber incidents;
- the qualitative and quantitative magnitude of the risk, including, for example, the potential costs and other consequences of misappropriated assets or information, data corruption or operational disruptions; and
- the adequacy of preventative measures taken to reduce cybersecurity risks in the context of the industry in which the company operates, and any risks to those preventative measures, including threatened attacks.
As with other risk factors, any cybersecurity risk factors should be specifically tailored to the company, detailing the nature of the risk and how it might impact the company. In other words avoid generic or boiler plate disclosure. Among other things such risk factors might include:
- a discussion of attributes of the company’s business or operations that give rise to material cybersecurity risks;
- the potential costs and consequences of cybersecurity risks;
- if a company has outsourced operations and they have material cybersecurity risks, a discussion of those risks and how the company is addressing them;
- a discussion of any cyber incidents experienced by the company that are individually or in the aggregate material, and a description of the potential costs and other consequences of those incidents;
- a discussion of risks related to cyber incidents that may remain undetected for an extended period of time; and
- a description of any relevant insurance coverage.
A company may have to explicitly disclose known or threatened cyber incidents and their potential costs and other consequences to place a discussion of its cybersecurity risks into context. However, the guidance notes that the Division is mindful of concerns that detailed disclosures may compromise security efforts by, among other things, providing would-be attackers with a “road map” through the company’s security system, and emphasizes that disclosure at that level of specificity is not required under the federal securities laws.
With respect to a company’s financial statements the guidance notes that, based on the nature and severity of an actual or potential cyber incident, disclosure may be required in a number of different areas, for example:
- prior to a cyber incident costs associated with preventative measures may have to be disclosed, such as cost related to internal use software (ASC 350-40, Internal-Use Software);
- remediation costs associated with the occurrence of cyber incident may also have to be disclosed, such as incentives offered to maintain customer or partner relationships (ASC 605-50, Customer Payments and Incentives);
- a cyber incident may also require disclosure of loss contingencies for asserted and unasserted claims, such as claims related to warranties, breach of contract, product recalls and replacements, and indemnification of counterparty losses (ASC 450-20, Loss Contingencies);
- a cyber incident may result in a company having diminished future cash flows, requiring consideration of impairments to assets, such as goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with software or hardware, and inventory;
- the impact of a cyber incident may not be immediately known, requiring a company to develop estimates to account for future financial implications, such as estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation and deferred revenue (ASC 275-10, Risks and Uncertainties); and
- where a cyber incident is discovered after the balance sheet date, a company should consider whether disclosure of a subsequent event is necessary (ASC 855-10, Subsequent Events).
Management’s Discussion & Analysis (MD&A)
MD&A disclosure may be warranted if the costs or other consequences of a known or potential cyber incident represent a material event, trend or uncertainty that is reasonably likely to have a material effect on a company’s results of operations, liquidity or financial condition, or would cause the company’s financial information not to be necessarily indicative of future operating results or financial conditions.
Disclosure Controls and Procedures
If a cyber incident poses a risk to a company’s ability to record, process, summarize and report the information required to be disclosed in its filings, the company should consider whether there are deficiencies in its disclosure controls and procedures rendering them ineffective.
Description of Business
Disclosure in a company’s “Description of Business” section may be warranted if a cyber incident materially affect the company’s products, services, customer or supplier relationships, or competitive conditions.
“Legal Proceedings” disclosure may be warranted if a company is party to a material pending legal proceeding that involves a cyber incident.
Current Reports and Road Maps
Finally, the securities laws are designed to “elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” Accordingly, the guidance notes that a company with an effective shelf registration statement on file should consider whether it needs to disclose a material cyber incident on a Form 8-K (or Form 6-K) in order to maintain the accuracy and completeness of its disclosure information.