SEC Issues Cyber-Incident GuidanceCommission Hadn't Required Specific Cyber Reports Before
SEC regulations already require companies to report incidents that could have an unfavorable impact on their corporate financial performance, but did not explicitly refer to cybersecurity risks and cyber incidents. This guidance is, simply, a strong recommendation and does not have the force of an SEC regulation. The commissioners have neither approved nor disapproved of the guidance.
Still, Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said the guidance is an important forward step in protecting investors.
"For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them," said Rockefeller, who along with other senators last May called for the SEC guidance (see Senators Ask SEC to Issue IT Security Guidance).
"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark," the senator said. "This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it."
The guidance recognizes that in disclosing an incident the filer needn't divulge certain details: "We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts - for example, by providing a 'roadmap' for those who seek to infiltrate a registrant's network security - and we emphasize that disclosures of that nature are not required under the federal securities laws."
According to the guidance:
- Risk of cyber incidents should be discussed if they are among the most significant factors that make an investment in the company speculative or risky. Companies should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.
- Companies should address cybersecurity risks and cyber incidents in their filings' management discussion if the costs or other consequences from a risk would likely have a material effect on their operations or finances. For instance, if intellectual property is stolen in a cyberattack, and the effects of the theft would likely to be material, the company should describe the stolen property and the effect of the theft on operations and finances.
- Companies should disclose in a filing's description-of-business section the affect on products, services, relationships with customers or suppliers or competitive conditions should a cyber incident have a material affect.
- If significant legal proceedings involve cyber incidents, companies should disclose that in their SEC filings.
"As with other operational and financial risks," the guidance states, "registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents."