On October 13 the Division of Corporation Finance of the Securities and Exchange Commission issued disclosure guidance to assist registrants “in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.”
The disclosure guidance provides a list of potential negative consequences and substantial costs that a registrant may incur as a result of a successful cyber attack, including remediation costs, increased cybersecurity protection costs, loss of revenues, litigation and reputational damage. The disclosure guidance suggests that although no existing disclosure requirement explicitly refers to cybersecurity risks, depending on the circumstances and the company’s particular situation (the guidance urges registrant’s to avoid generic disclosure) the following sections of public filings may be implicated:
- Risk Factors – registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks including the potential costs and other consequences that may result. Depending upon the registrant’s particular facts and circumstances, and to the extent material, risk factor disclosure may include the aspects of the registrant’s operations that give rise to material cybersecurity risks; to the extent registrant outsources functions that are subject to such risks, a description of those functions; risks related to cyber incidents that may remain undetected for an extended period; and a description of relevant insurance coverage.
- Management’s Discussion and Analysis of Financial Condition and Results of Operation (MD&A) – the disclosure guidance encourages registrants to address cybersecurity risks and past cyber incidents in their MD&A if the costs and other consequences associated “with one or more known incidents or the risk of potential incidents” represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition.
- Description of Business and Legal Proceedings – if incidents have already impacted, or may materially impact, registrant’s business or if there are pending material legal proceedings, full disclosure should be made.
- Financial Statement Disclosures – here the disclosure guidance references various accounting principles that may be implicated in the event of a cyber incident, including loss contingencies, cash flow diminution and customer payments and incentives that may result from a registrant seeking to mitigate damages.
The disclosure guidance may be accessed here.