Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue.

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks–and incidents–have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups.


The Division referenced the following sections of Regulation S-K as potentially requiring disclosures related to cybersecurity:

  • Item 503(c) (“Risk Factors”), which requires companies to disclose risks facing the business that might make an investment in the company’s stock speculative or risky.  If cybersecurity presents a material risk, the Division suggests that, depending on the company’s particular situation, disclosures concerning cybersecurity might include, among other things:  (1) discussion of the aspects of the company’s operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) description of any cyber incidents that the company has experienced, and the costs associate with those incidents, if material; and (3) description of relevant insurance coverage.
  • Item 303 (“Management’s Discussion and Analysis of Financial Condition and Results of Operations” or “MD&A”), which requires a discussion and analysis of the company’s financial condition and results of operation.  This should address cybersecurity risks and incidents if costs or other consequences associated with known incidents or the risk of potential incidents represent a “material event, trend, or uncertainty that is reasonably likely to have a material effect on the [company’s] results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”  The Division notes that an example of an event might trigger such disclosures would be the theft of material intellectual property in a cyber attack.
  • Item 101 (“Description of the Business”), which requires a description of the company’s business.  Where a cyber incident has materially affected a company’s products, services or relationships with customers or suppliers, the Division suggests that the impact should be discussed.
  • Item 103 (“Legal Proceedings”), which requires a brief description of “material pending legal proceedings, other than routine litigation incidental to the business.”  This might include, for example, a suit against the company involving a loss of customer information as the result of a cyber incident, if the liability that could be incurred by the company is material.
  • Item 307 (“Disclosure Controls and Procedures”), which requires disclosure of the company’s conclusions regarding the effectiveness of the company’s disclosure controls and procedures.  To the extent a cyber incident affects a company’s ability to comply with its SEC disclosure obligations, the company must consider whether this has impaired the effectiveness of its disclosure controls.
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and…

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.