Disclosure Guidance: Cybersecurity Risks and Cyber Incidents
On October 13, 2011 the Securities and Exchange Commission's (the "Commission’s") Division of Corporation Finance released informal disclosure guidance addressing the staff’s views on disclosure obligations related to cybersecurity.
The guidance—issued in response to an increasing focus on cybersecurity risks and the impact of cyber incidents on issuers’ operations—addresses what, if any, disclosures are required under existing federal securities laws; it does not create any new or additional disclosure obligations.
The Effects of Cyber Incidents
Cyber incidents come in many forms, ranging from deliberate attacks—the unauthorized access of digital systems for purposes of misappropriating assets or other sensitive information, data corruption, operational disruptions or denial of service attacks—to unintentional events—malware installations, software bugs or network failures.
Whether deliberate or unintentional, cyber incidents can have significant effects on and lead to substantial costs and other negative consequences for an issuer.
By way of example, following a cyber incident an issuer may incur:
The Disclosure Guidance
- remediation costs, including, costs associated with liability for misappropriated assets or other sensitive information, or costs related to incentives offered to maintain customer or partner relationships;
- increased cybersecurity costs;
- revenue losses;
- litigation costs; and
- reputational damage.
The Commission's guidance begins with the premise that the federal securities laws "are designed to elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision." It then goes on to examine a number of existing disclosure requirements that may trigger the need for cybersecurity risk and cyber incident disclosure, including:
- risk factor disclosures, as required by Item 503 of Regulation S-K ("Reg. S-K");
- financial statement disclosures;
- management's discussion and analysis of financial conditions and results of operations, as required by Item 303 of Reg. S-K;
- disclosure controls and procedures, as required by Item 307 of Reg. S-K;
- disclosures in the description of business section, as required by Item 101 of Reg. S-K; and
- legal proceedings disclosure, as required by Item 103 of Reg. S-K.
In assessing whether and to what extent disclosure of a cybersecurity risk or cyber incident is required under one of the preceding items, you have to consider the materiality of the information in question in light of the surrounding facts and circumstances. You also have to consider whether disclosure might be necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.
Cybersecurity risk factor disclosure is required if the risk of a cyber incident is "among the most significant factors that make [an investment in your securities] speculative or risky."
When assessing whether to include cybersecurity risk factors in your disclosure documents you should take into consideration all of the relevant facts and circumstances, including, without limitation:
- the occurrence of prior cyber incidents;
- their severity and frequency;
- the probability of future cyber incidents;
- the qualitative and quantitative magnitude of the risk, including, for example, the potential costs and other consequences associated with misappropriated assets or other sensitive information, data corruption or operational disruptions; and
- the adequacy of preventative measures taken to reduce cybersecurity risks in the context of the industry in which you operate, and any risks to those preventative measures, including threatened attacks.
As with any other risk factor, cybersecurity risk factors should be specifically tailored, detailing the nature of the risk and how it might impact your company. In other words, don’t just use generic or boilerplate disclosure.
Among other things, cybersecurity risk factors might include:
- a discussion of attributes of your business or operations that give rise to material cybersecurity risks;
- the potential costs and consequences of any cybersecurity risks;
- if you outsource any portion of your operations and those operations have material cybersecurity risks, a discussion of those risks and how you’re addressing them;
- a discussion of any cyber incidents that are individually or in the aggregate material, and a description of the potential costs and other consequences of those incidents;
- a discussion of the risks related to cyber incidents that may remain undetected for an extended period of time; and
- a description of any relevant insurance coverage.
You may also have to explicitly disclose known or threatened cyber incidents and their potential costs and consequences in order to place a discussion of your cybersecurity risks into context.
The Commission is mindful, however, of concerns that detailed disclosure may compromise security efforts by, among other things, providing would-be attackers with a "road map" through your security systems, and in its guidance emphasizes that disclosure at that level of specificity is not required.
With respect to financial statement disclosures, based on the nature and severity of an actual or potential cyber incident, disclosure may be required in a number of areas, for example:
- prior to a cyber incident, disclosure of costs associated with preventative measures may be required, such as the costs of internal use software (ASC 350-40, Internal-Use Software);
- remediation costs associated with the occurrence of a cyber incident may also be required, such as incentives offered to maintain customer or partner relationships (ASC 605-50, Customer Payments and Incentives);
- a cyber incident may also require disclosure of loss contingencies for asserted and unasserted claims, such as claims related to warranties, breach of contract, product recalls and replacements, and indemnification of counterparty losses (ASC 450-20, Loss Contingencies);
- a cyber incident may result in diminished future cash flows, which may lead to impairment of certain assets, such as goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with software or hardware, and inventory;
- the impact of a cyber incident may not be immediately known, requiring you to develop estimates to account for future financial implications, such as estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation and deferred revenue (ASC 275-10, Risks and Uncertainties); and
- finally, when a cyber incident is discovered after your balance sheet date, you should consider whether disclosure of a subsequent event is necessary (ASC 855-10, Subsequent Events).
Management's Discussion & Analysis of Financial Condition and Results of Operations ("MD&A")
MD&A disclosure may be warranted if the costs or other consequences of a known or potential cyber incident represent a material event, trend or uncertainty that is reasonably likely to have a material effect on your results of operations, liquidity or financial condition, or would cause your financial information not to be necessarily indicative of future operating results or financial conditions.
By way of example, if, in a cyber incident, material intellectual property is misappropriated from your digital systems, and the misappropriation is reasonably likely to have a material effect on your business, your MD&A should address:
- the nature of the intellectual property and the effect of the cyber incident on your results of operations, liquidity and financial condition; and
- whether the cyber incident will cause your reported financial information not to be necessarily indicative of future operating results or financial conditions.
Where it is reasonably likely that a cyber incident will lead to reduced revenues or increased costs, such as cybersecurity costs or costs related to litigation, your MD&A should also address these possibilities, including a discussion of the amount and duration of any expected costs, if material.
Alternatively, if in the above example the cyber incident did not result in the loss of material intellectual property, but did prompt you to materially increase your cybersecurity expenditures, you should note the increased expenditures in your MD&A.
Disclosure Controls and Procedures
If a cyber incident poses a risk to your ability to timely record, process, summarize and report the information required to be disclosed in your filings, you should consider whether there are deficiencies in your disclosure controls and procedures which render them ineffective.
Description of Business
Additional disclosure in your "Description of Business" section may be warranted if a cyber incident materially affects your products, services, customer or supplier relationships, or your competitive conditions.
Additional "Legal Proceedings" disclosure may be warranted if you are party to a material pending legal proceeding involving a cyber incident.
A Note on Shelf Registration Statements and Current Reports
Finally, if you have an effective shelf registration statement on file, you should consider whether and to what extent disclosure of a material cyber incident is necessary on a Form 8-K or Form 6-K in order to maintain the accuracy and completeness of your disclosure information.■
If you would like to receive future corporate and securities law updates from Qashu & Schoenthaler LLP, please sign up
for our email alerts.
If you have any questions or would like any additional information about the contents of this securities law update, please contact your representative at Qashu & Schoenthaler LLP or contact:
Vanessa J. Schoenthaler