Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue.

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks–and incidents–have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups.

 

The Division referenced the following sections of Regulation S-K as potentially requiring disclosures related to cybersecurity:

  • Item 503(c) (“Risk Factors”), which requires companies to disclose risks facing the business that might make an investment in the company’s stock speculative or risky.  If cybersecurity presents a material risk, the Division suggests that, depending on the company’s particular situation, disclosures concerning cybersecurity might include, among other things:  (1) discussion of the aspects of the company’s operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) description of any cyber incidents that the company has experienced, and the costs associate with those incidents, if material; and (3) description of relevant insurance coverage.
  • Item 303 (“Management’s Discussion and Analysis of Financial Condition and Results of Operations” or “MD&A”), which requires a discussion and analysis of the company’s financial condition and results of operation.  This should address cybersecurity risks and incidents if costs or other consequences associated with known incidents or the risk of potential incidents represent a “material event, trend, or uncertainty that is reasonably likely to have a material effect on the [company’s] results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”  The Division notes that an example of an event might trigger such disclosures would be the theft of material intellectual property in a cyber attack.
  • Item 101 (“Description of the Business”), which requires a description of the company’s business.  Where a cyber incident has materially affected a company’s products, services or relationships with customers or suppliers, the Division suggests that the impact should be discussed.
  • Item 103 (“Legal Proceedings”), which requires a brief description of “material pending legal proceedings, other than routine litigation incidental to the business.”  This might include, for example, a suit against the company involving a loss of customer information as the result of a cyber incident, if the liability that could be incurred by the company is material.
  • Item 307 (“Disclosure Controls and Procedures”), which requires disclosure of the company’s conclusions regarding the effectiveness of the company’s disclosure controls and procedures.  To the extent a cyber incident affects a company’s ability to comply with its SEC disclosure obligations, the company must consider whether this has impaired the effectiveness of its disclosure controls.
Tags: Commerce, Cybersecurity, Data Security, Information Security, Rockefeller, SEC, Senate
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and is a partner in the firm’s data privacy and cybersecurity practice.

David has…

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and is a partner in the firm’s data privacy and cybersecurity practice.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including being named The American Lawyer’s Dealmaker of the Year three times. His work includes successfully securing three of the four Presidential approvals in the history of CFIUS; securing the only Presidential order protecting a client against a proposed hostile takeover; and negotiating the only “golden share” the U.S. government has taken in a U.S. company. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

For more than two decades, David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that encounter challenges in CFIUS; provide strategic counsel to clients on navigating and addressing U.S. national security considerations in commercial transactions; and negotiate solutions with the U.S. government, including equity arrangements, that protect national security interests while preserving shareholder value and U.S. business interests.

In the enforcement area, David has represented clients in numerous enforcement actions pursued by CFIUS, including two of the three largest penalty cases resolved with CFIUS.

Reflecting his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multinational companies to advise on emerging legal issues, including outbound investment restrictions and regulations governing information and communications technologies and services (ICTS), as well as strategic legal projects related to the evolving U.S.-China competitive landscape.

In addition, in the foreign investment and national security area, David routinely advises clients on matters requiring mitigation of foreign ownership, control, or influence (FOCI) under applicable national industrial security regulations. His work includes advising many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions subject to public safety, law enforcement, and national security review by Team Telecom.

Read more about David FaganEmail
Show more Show less