SECThe Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack–or even a potential attack–in order to make potential investors aware of possible risks to the company’s business. The guidance, which does not constitute a rule or requirement for companies to disclose, is meant to help “registrants in assessing what, if any, disclosures should be provided about cybersecurity matters.”

The SEC issued the guidance on Thursday in response to the rising tide of attacks on financial services firms and other publicly traded companies, and it comes at a time when lawmakers and others are calling for mandatory breach disclosure and better regulation of the ways that companies handle security incidents. The statement from the SEC’s Division of Corporate Finance emphasizes that each regulated company needs to take into account a number of factors specific to their situation and decide whether and what they may need to disclose in their regulatory filings.

“A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences,” the SEC statement says.

The new guidance from the SEC spells out some of the things that companies may need to disclose to investors and others, depending upon their situation. Some of the potential items companies may need to disclose include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period

The statement also says that companies may need to disclose attacks in which material intellectual property was taken from the firm.

“For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition,” the statement says.

Categories: Compliance, Data Breaches, Government, SMB Security

Comment (1)

  1. Nitin Bedi
    1

    It’s quite interesting and refreshing to see that the SEC has decided to address this issue.  The role of the SEC is to regulate the capital markets and provide confidence to shareholders.  The recent cyber-attacks have resulted in a number of large corporations identified as targets for the hackers and potentially may have lost confidential information. 

    The implementation of disclosures related to cybersecurity risks and incidents seems similar to the implementation of the Sarbanes Oxley, where public corporations were required to demonstrate that the relevant controls (Financial and IT General Controls) had been implemented and tested appropriately and specific responsibilities and fines would be levied if found non-compliant.

    The recent cyber-attacks have demonstrated that organizations can be faced with various types of disruption, financial loss and loss of intellectual property.  All of these pose a risk to the organization and can affect shareholder value and hence the requirement to be disclosed by the corporation.  In addition, substantial financial and non-financial costs may be required for the implementation of remediation controls and countermeasures to close any gaps and shareholders have the right to know as it affects their investments.  

Comments are closed.