The SEC Wades into Cybersecurity Waters

Published: Oct. 18, 2011

Updated: Oct. 05, 2020

Hot on the heels of its recent enforcement actions under Regulation S-P against broker-dealers for disclosure of information to non-affiliated third parties, the SEC has again waded into cybersecurity and privacy waters by providing specific guidance regarding disclosure obligations for cybersecurity risks and cyber incidents.

CF Disclosure Guidance: Topic No. 2, issued on October 13, 2011,  is another step in the SEC’s recognition that cybersecurity risks can impact a business much like other risks covered by Regulation S-K Item 503(c).  Much like litigation, corporate governance, and other risks, the Guidance states that “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”  To determine whether such disclosure is required, the SEC directs registrants to evaluate the probability of cyber incidents occurring, the consequences of those attacks, and the adequacy of preventative actions taken to reduce those risks, in the context of the relevant industries.

Importantly, the Guidance advises that evaluation and disclosure occur prior to a cyber incident—particularly where registrants incur substantial costs to prevent incidents.  The Guidance also explicitly makes cybersecurity disclosure part of reporting and evaluating the Company’s internal controls and procedures, noting that “if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls and procedures are ineffective.”  Likewise, the Guidance recognizes that during and after an incident, a registrant may be required to disclose losses from asserted and unasserted claims, as well as losses to the company’s goodwill.

How the SEC rule affect actual practices remains to be seen, but the Guidance’s position that companies evaluate their cybersecurity practices regardless of whether they have experienced an incident brings cyber security concerns to the forefront for a company’s auditors and corporate lawyers preparing SEC filings and recognizes the importance of robust and proactive cybersecurity practices.