By Cydney Posner
Corp Fin has just issued some new "Disclosure Guidance" providing its views on disclosure obligations relating to cybersecurity risks and cyber incidents.
With increasing migration toward the web and the cloud, risks associated with cyber attacks and inadequate cybersecurity have increased. Cyber attacks may be carried out for purposes of misappropriating assets or sensitive information, corrupting data or otherwise causing operational disruption through unauthorized or authorized access. In preparing the guidance, the Staff took into account "potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a ‘roadmap' for those who seek to infiltrate a registrant's network security -- and [the Staff] emphasize[s] that disclosures of that nature are not required under the federal securities laws. "
The objectives of cyber attacks can vary from theft of assets or information to disruption of operations. Some of the potential negative consequences identified by the Staff include the following:
- Remediation costs that may include liability for stolen assets or information, repairing system damage, as well as incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
Disclosure Regarding Cybersecurity Risks and Cyber Incidents
While there are no explicit references to cyber attacks in the rules, a number of existing disclosure requirements may impose an obligation to disclose risks and incidents:
Registrants should disclose the risk of cyber incidents if that risk is among the registrant's most significant. In determining whether risk factor disclosure is required, the Staff expects registrants to evaluate their cybersecurity risks and take into account all available relevant information:
- prior cyber incidents and the severity and frequency of those incidents;
- the probability of future cyber incidents;
- quantitative and qualitative magnitude of the potential consequences, including costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
- the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which the registrant operates and risks to that security, including threatened attacks of which the registrant is aware.
The disclosure should adequately describe the nature of the material risks and specify how each risk affects the registrant, avoiding generic risk factor disclosure that could apply to any registrant.
Depending on the facts and circumstances, appropriate disclosures may include:
- Discussion of aspects of the business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
If there are known or threatened cyber incidents, they may need to be disclosed "to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences." (That's a good point to keep in mind when crafting other risk factors as well.) Registrants need to avoid "boilerplate" disclosure and instead provide "sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not [compromise its cybersecurity]"
Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A)
Registrants should address cybersecurity risks and cyber incidents in MD&A "if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition." For example, in the event of a theft of material intellectual property that is reasonably likely to have a material effect, the registrant should describe the following:
- the property that was stolen;
- the effect of the attack on results of operations, liquidity and financial condition;
- whether the attack would cause reported financial information not to be indicative of future operating results or financial condition; and
- if reasonably likely, the possibility that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including those related to litigation, and the amount and duration of the expected costs, if material.
If the attack did not result in any loss of intellectual property, describe any material increase in cybersecurity protection expenditures that resulted.
Description of Business
Describe any material impact on any reportable segment of a cyber incident on the segment's products, services, relationships with customers or suppliers, or competitive conditions. As an example, if a cyber incident impairs the viability of a new product in development, the registrant should discuss the incident and any potential material impact.
If a cyber incident results in litigation, legal proceedings should include a description of any material pending legal proceeding to which the registrant or any of its subsidiaries is a party arising out of the incident, including the name of the court, the date instituted, the principal parties, the factual basis alleged to underlie the litigation and the relief sought.
Financial Statement Disclosures
Disclosure of cybersecurity risks and cyber incidents could be required throughout the financial statements:
- costs incurred to prevent cyber incidents (to the extent that such costs are related to internal-use software, see ASC 350-40, Internal-Use Software, for guidance on capitalization of costs);
- costs incurred to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship (see ASC 605-50, Customer Payments and Incentives, regarding recognition, measurement and classification of these incentives);
- losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement and indemnification of counterparty losses from their remediation efforts (see ASC 450-20, Loss Contingencies, regarding recognition of a liability if those losses are probable and reasonably estimable and disclosures of losses that are at least reasonably possible);
- impairment of certain assets resulting from diminished future cash flows, including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software and inventory. If the impact of a cyber incident is not immediately known and estimates are required to account for the various financial implications, registrants should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements: a "registrant must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue." A subsequent event note may be required if a cyber incident is discovered after the balance sheet date but before the issuance of financial statements. If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.
Disclosure Controls and Procedures
Cyber incidents could impair the effectiveness of disclosure controls and procedures, thus requiring disclosure, if they pose a risk to the ability to record, process, summarize and report information required to be disclosed in SEC filings, for example, by affecting a registrant's information systems.