The SEC’s Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies’ disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, or securities compliance, as well as securities law practitioners, better understand the Staff’s expectations on disclosure in this area. Our recent Client Alert reviews the guidance in greater detail. Here, we highlight a few points worth noting:
- Cyber incidents that may need to be disclosed include not just targeted attacks or security breaches, but may include security lapses or systems failures;
- Cybersecurity can implicate disclosure obligations not only in a company’s risk factors, but also its MD&A, description of business, legal proceedings, financial statements, and disclosure controls and procedures; and
- Compliance with its disclosure obligations does not require a public company to provide detailed information that might compromise its cybersecurity, only such information that would help investors appreciate the risks involved.
The ever-increasing importance of technology for most companies brings with it increased cybersecurity risks and the potential for a material cyber incident. Public awareness of cybersecurity issues is also growing–politicians and regulators have held hearings or commenced investigations into recent cyber incidents involving some large companies, and the plaintiffs’ bar has not been idle either. Public reporting companies can expect the scrutiny to increase. Close cooperation between the technology and legal functions in identifying and responding to reportable events is required.