Trending cybersecurity disclosures

January 19, 2017

Cybersecurity Alert

Author(s): Jason P. Gonzalez, Tiana M. Butcher, Carolyn Lowry

Should public companies disclose information about vulnerabilities to, and costs of preventing and responding to, cyberattacks in their periodic reports filed with the U.S. Securities and Exchange Commission (SEC)? This alert looks back at SEC Guidance on Cybersecurity disclosures and analyzes recent SEC comment letters to help companies evaluate whether additional cybersecurity disclosures may be warranted in their upcoming reports.

This year’s CES conference in Las Vegas, NV demonstrated that connectivity is at the heart of recent innovations, including connected enterprise solutions, connected homes and even connected sleep technologies. But having connected businesses and connected lives requires an investment in cybersecurity measures to protect our systems and data. Many companies have adjusted their risk mitigation strategies to respond to cyber threats at every level. While cybersecurity was once the responsibility of information technology personnel, management increasingly recognizes that every individual in a company and throughout its supply chain has a responsibility to protect the company from cyber attacks. However, there are a number of difficult questions to consider regarding the extent to which a public company should disclose information about its vulnerabilities to cyber attacks and the efforts it has taken to mitigate those risks in its periodic reports.

The outgoing Chair of the U.S. Securities and Exchange Commission (SEC), Mary Jo White, described cybersecurity as one of the greatest risks facing the financial services industry.[1] While the SEC did not adopt any regulations requiring public company disclosures specific to cybersecurity, the SEC’s Division of Corporation Finance released Disclosure Guidance in 2011 that highlights a registrant’s obligations to disclose material risks and costs associated with cyber threats and incidents.[2]

President-elect Trump has promised to make cybersecurity a focus of his administration. He has, however, also been a vocal opponent of new regulations. During his campaign, President-elect Trump promised a “temporary moratorium on new agency regulations that are not compelled by Congress or public safety.”[3] He has appointed Jay Clayton, currently a partner at Sullivan and Cromwell, to serve as SEC Chair and, in the release announcing Mr. Clayton’s nomination, expressed a need to “undo many regulations which have stifled investment in American businesses …”[4]

It is not yet clear whether the SEC, under a Trump administration, will propose new regulations requiring disclosures specific to cybersecurity. However, based on the SEC’s existing disclosure rules and recent SEC staff comments, we expect that the trend of more prominent disclosures relating to cybersecurity will continue.

Cybersecurity guidance

According to the Guidance, reporting companies are asked to consider whether cybersecurity risks and incidents should be reported pursuant to existing Regulation S-K. The SEC suggests, in its Guidance, that cybersecurity disclosures may be appropriate in the following sections of a company’s periodic reports.

  • Description of business: Under Item 101 of Regulation S-K, a registrant must provide a description of its business, including details of the general development of the business and financial information relating to segments and geographic areas. A registrant should disclose details of a cyber incident or risk in this section if it has a material impact on one of the registrant’s reportable segments or if it materially affects a registrant’s products, services, relationships or competitive conditions.
  • Legal proceedings: Under Item 103 of Regulation S-K, a registrant should disclose any material pending legal matter involving a cyber incident; such disclosure should include key case information, such as the relevant court, dates, parties, factual basis for the claim and relief sought.
  • Management’s discussion and analysis (MD&A): Under Item 303 of Regulation S-K, a registrant should disclose a cyber risk or incident if the costs associated with it “represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” If an attack is reasonably likely to lead to materially reduced revenue, increased expenditures relating to insurance or protection costs, including litigation, a registrant should disclose this information.
  • Disclosure controls and procedures: Under Item 307 of Regulation S-K, registrants must disclose information relating to the effectiveness of the registrant’s disclosure controls and procedures. A registrant should disclose any risks involved with cyber incidents affecting or potentially affecting a registrant’s ability to record, process, summarize or report information for SEC filings.
  • Risk factors: Under Item 503(c) of Regulation S-K, registrants must disclose cybersecurity risks if they are among the most significant factors that make an investment speculative or risky. Registrants should evaluate cybersecurity risks, including the severity and frequency of any prior cyber incidents, probability and likely magnitude of future incidents, adequacy of any preventive measures, and costs of protective measures and cyber incidents. These risk disclosures should be tailored and informative, rather than simply using generic “boilerplate” language that could be applicable to any registrant.

In addition to the disclosures required under Regulation S-K, a registrant should also consider how a cyber incident may affect the registrant’s financial statements and how cyber risks could result in changes in cost estimates and accounting. A registrant may have to account for costs of preventing cyber incidents (ASC 350-40, Internal-Use Software), as well as expenses and losses incurred during and after a cyber incident. More specifically, a registrant may have to account for costs of incentives for maintaining a business relationship in the event of an incident (ASC 605-50, Customer Payments and Incentives) or losses from various claims and liabilities (ASC 450-20, Loss Contingencies).

Importantly, the Guidance clarifies that a registrant is not required to make disclosures that would compromise its cybersecurity. There is no obligation to provide a “roadmap” of cyber vulnerabilities that could be exploited to infiltrate a registrant’s systems.

Disclosure trends

It appears that the SEC staff has taken the Guidance into account when reviewing company periodic reports. Based on our review of recent SEC staff comment letters, the comments generally fall into one of three categories: (1) requests for details about cyber incidents; (2) requests for information about potential risks of cyber attack and (3) requests for details about the registrant’s cyber liability insurance.

  • Cyber incidents: When a registrant has disclosed a cyber incident, the SEC has asked that the registrant explain how it determined whether a single event, or multiple events in the aggregate, would be material and include a description of the costs and other consequences. The SEC has asked registrants that have identified material cyber incidents to describe the attacks, as well as any resulting loss or unauthorized disclosure of confidential or proprietary data. The SEC has requested details about the “scope and magnitude” of a computer intrusion, as well as further information about information technology weaknesses, vendor/vendee relationships, internal controls to protect against cyberattacks, and the costs and other consequences of a cyber incident. Registrants that experienced cybersecurity incidents that were not material to their businesses were also asked to state this fact in future filings so investors are aware that such registrants are experiencing these cyberattacks.
  • Explanation of cyber risks: In response to certain boilerplate risk factors noting the potential for cyber attacks and the possible consequences of such attacks, the SEC staff has requested that disclosures be revised to state whether the registrant has experienced any security breaches, cyber attacks or similar events to provide proper context for such risk factor disclosure. Certain companies that have not noted cybersecurity risks have also been asked by the SEC staff to justify why disclosure of cyber risks was unnecessary. Registrants particularly susceptible to cyber attacks, such as online businesses or businesses that conduct sales solely or primarily online, have specifically been asked by the SEC staff for the particular aspects of their businesses and operations that give rise to material cybersecurity risks. Online businesses have also been asked to describe the extent to which their businesses depend on their online presence and any cybersecurity or web server maintenance issues they have experienced during the applicable period. The SEC staff has also encouraged registrants that depend on business conducted over the Internet to include a risk factor relating to cybersecurity.
  • Preventive measures: If a registrant identified a risk of cyber attack in its periodic reports, the SEC staff has requested information on the preventive measures taken to reduce these risks and whether the costs associated with those preventive measures are reasonably likely to have a material effect on its results of operations, liquidity and financial condition. The SEC staff has also requested that registrants referencing a cybersecurity insurance policy provide details, such as the amount of coverage and any material limitations on coverage.

Regardless of whether the SEC takes action in promulgating cybersecurity regulations, the cybersecurity challenges we face are evolving rapidly and increasingly complex, and the trend of more prominent disclosure relating to cybersecurity-related risks, incidents and preventive measures is likely to continue.

  1. Keynote Address Investment Company Institute 2016 General Meeting – “The Future of Investment Company Regulation” by Chair Mary Jo White, May 20, 2016 available here.
    [Back to reference]
  2. SEC CF Disclosure Guidance: Topic No. 2 (2011), available here.
    [Back to reference]
  3. “Regulations,” available here.
    [Back to reference]
  4. “President-Elect Donald J. Trump Nominates Jay Clayton Chairman of the SEC,” available here.
    [Back to reference]

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top