Small Business Securities Bulletin - SEC’s Division of Corporation Finance Issues Guidance on Disclosure of Cybersecurity Risks and Cyber Incidents
A periodic bulletin keeping small businesses informed about current developments in securities law and related matters.
On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued “CF Disclosure Guidance; Topic No. 2 – Cybersecurity” (Guidance). The Guidance provides the Division of Corporation Finance’s views regarding SEC reporting companies’ disclosure obligations with respect to cybersecurity risks and cyber incidents, and aims to assist companies “in assessing what, if any, disclosures should be provided about cybersecurity mattes in light of each [company’s] specific facts and circumstances.” Pursuant to the Guidance, such disclosure may be appropriate in the Risk Factors, Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Business Description, Legal Proceeding, and Financial Statements sections of a company’s report.
For example, disclosure would be appropriate in the Risk Factors discussion if cybersecurity risks are among the most significant risks that make an investment in the company speculative or risky, as long as it is a risk specific to the company or its industry and not of the type that would apply to any company. In this regard, the frequency and severity of prior incidents and the probability of future incidents should be considered. Examples of appropriate risk factor disclosure provided in the Guidance include a discussion of aspects of the company’s business or operations giving rise to the cybersecurity risks, the potential costs and other consequences of such risks, how outsourcing might impact such risks, a discussion of past incidents and disclosure of relevant insurance coverage. MD&A disclosure would be appropriate to the extent that costs and other consequences associated with cybersecurity risks or cyber incidents are likely to materially affect the Company’s results of operations, liquidity or financial condition, while a discussion in the Business section would be appropriate if cyber incidents materially affect a company’s products, services, customer or supplier relationships or competitive conditions. Further, material legal proceedings involving cybersecurity risks or cyber incidents would require disclosure in the Legal Proceedings section of the report, while costs incurred both to prevent potential incidents and mitigate damages from actual incidents would have to be addressed in the financial statements in accordance with the appropriate Accounting Standards Codification (ASC) guidance. Disclosure that would compromise a company’s cybersecurity efforts, however, is not required.
Finally, management also must consider whether there are any deficiencies in the company’s disclosure controls and procedures “[t]o the extent cyber incidents pose a risk to the [company’s] ability to record, process, summarize, and report information that is required to be disclosed in [SEC] filings.”
Although the Guidance represents solely the views of the Division of Corporation Finance and is not a rule, regulation or statement of the SEC, SEC reporting companies should review the guidance and consider whether any additional disclosure with respect to cybersecurity risks and cyber incidents are appropriate in their upcoming quarterly reports on Form 10-Q and annual reports on Form 10-K in light of this new Guidance. Further, you should periodically review these disclosures to ensure that they are current. The Guidance is available at www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
About Me. I am a former SEC attorney who also has prior “big firm” experience. I assist public as well as private companies with compliance with federal and state securities laws, including assisting public companies with their reporting obligations under the Securities Exchange Act of 1934, at competitive billing rates. Please contact me if you would like more information about my practice or to discuss how I can be of assistance to you. Visit my bio at www.ober.com/attorneys/penny-somer-greif.
This Bulletin contains only a general overview of the matters discussed herein and should not be construed as providing legal advice. If you have any questions about the information in this Bulletin or would like additional information with respect to these matters, please contact me at 410.347.7341 or via e-mail at firstname.lastname@example.org.
Feel free to – and please do – forward this Bulletin to anyone that you think might be interested in it. If you did not receive this Bulletin from Ober|Kaler directly, you may sign up to receive future Bulletins like this via e-mail at: email@example.com.
© 2013 Ober|Kaler All Rights Reserved.