Skip to main content

SEC Guidance to Public Companies: Evaluate and Disclose Cybersecurity Risks

The Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks.    This release is from the Commission's Division of Corporation Finance and is not a rule or regulation -- but it is clear that public companies that ignore the advice in the Disclosure Guidance and fail to assess and disclose material cybersecurity risks could face regulatory and legal action.

A key point from an information management perspective is that the plain language of the Guidance can only be interpreted as calling for particular and specific (non-generic) disclosure if the risk of cyber attack or data breach is reasonably likely to be material to a public company.   The Guidance discusses not only what is thought of in terms of privacy and data breaches, but also cyber attacks that could result in the theft of material intellectual property.  The SEC staff gave as an example: 

if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.

A company can only make accurate disclosure of risks if a risk assessment is undertaken to determine if, and what, disclosure is required.   Directors and officers outside the traditional information technology/security management circle will need to pay greater attention to these potential disclosure issues.

The Guidance may impact the traditional breach notification process as well.  Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financial statements and whether other SEC filings (such as a Form 8-K) should be made in connection with a data breach.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.