The Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack–or even a potential attack–in order to make potential investors aware of possible risks to the company’s business. The guidance, which does not constitute a rule or requirement for companies to disclose, is meant to help “registrants in assessing what, if any, disclosures should be provided about cybersecurity matters.”
The SEC issued the guidance on Thursday in response to the rising tide of attacks on financial services firms and other publicly traded companies, and it comes at a time when lawmakers and others are calling for mandatory breach disclosure and better regulation of the ways that companies handle security incidents. The statement from the SEC’s Division of Corporate Finance emphasizes that each regulated company needs to take into account a number of factors specific to their situation and decide whether and what they may need to disclose in their regulatory filings.
“A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences,” the SEC statement says.
The new guidance from the SEC spells out some of the things that companies may need to disclose to investors and others, depending upon their situation. Some of the potential items companies may need to disclose include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period
The statement also says that companies may need to disclose attacks in which material intellectual property was taken from the firm.
“For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition,” the statement says.