SEC Sheds Light on Cyber Threat Disclosure

Photo entitled "cycber_security" by CongressCheck on Flickr

As public companies increase their use of digital technology in business operations, they increase their vulnerability to cyber threats. This risk is evidenced by the large number of high profile cyber attacks conducted against corporations including Sony, RSA, Comcast, Bank of America, and JPMorgan.

Current federal securities law does not explicitly address disclosure requirements for cyber risks and attacks but the SEC’s Division of Corporation Finance recently published guidance to aid companies in making that determination. It is unclear how the SEC will handle the disclosure issue in the future, but its recent publication emphasizes the importance the government places on cybersecurity.

Cyber incidents can come in many forms including, gaining unauthorized access to digital information, corrupting data, and disrupting operations both electronically and physically. The SEC explains that the obligation of disclosure regarding the risk or actual impact of such an incident hinges on “materiality” or what a reasonable investor would consider important in making an investment decision.

Specifically, companies should disclose information about the risk of a cyber incident if it is “among the most significant factors that make an investment in the company speculative or risky.” In making this determination, companies should consider severity and frequency of previous incidents, probability of future incidents, and expected impact of such incidents including costs and consequences.

Additionally, public companies may be required to provide information on previous cyber attacks to place the extent of risk in context. The SEC guidance suggests that merely addressing the existence of a risk after a cyber attack occurs would likely not be sufficient. A discussion of the specific method of attack and its known and potential consequences may need to be disclosed in order to capture the full extent of the particular cyber risk.

Experts have differing opinions as to whether the recent disclosure guidance will have any immediate impacts on public companies revealing information about cyber attacks. However, at the very least, the publication puts businesses on notice that the SEC is aware of corporate cyber risk and recognizes the critical impacts such threats pose to using technology in conducting business. The SEC has made it clear that, despite an absence of express language dealing with cyber incidents, disclosure may be necessary in certain circumstances.

Going beyond the potential issue of having to make cyber attack details public, the SEC’s message should help focus companies on their cybersecurity plans. This in turn will hopefully get public corporations to consider and plan for the full extent to which cyber threats impact all aspects of business. While disclosure is an important step, it is only part of a much larger process businesses must take to secure their electronic media and protect their customers and investors.

Nothing gets a company more concerned about cybersecurity than being a cyber victim. Hopefully, the SEC and other government entities bringing cyber issues to the forefront will get businesses to start taking adequate measures to protect themselves before becoming cyber attack victims.

Security and Exchange Commission, CF Disclosure Guidance, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.