Security and Exchange Commission (SEC)'s Division of Corporation Finance (CF) is a very well-written and welcome development in the world of corporate cyber-security. Although these are not rules nor regulations, the CF has published them to "provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances."
One of the key take-aways for me is that it's not just about reporting a breach although that's obviously a part of it. Companies also need to assess and report the risk of a breach occurring. Here's the exact language:
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
This obviously doesn't apply to all companies; only the ones who are in high risk sectors or perhaps ones that have already been the victim of a major breach or repeated breaches (i.e., RSA, Lockheed Martin, Sony). Again quoting from the SEC document under "Risk Factors":
In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.
The existing regulations on reporting risk are contained in Regulation S-K, Item 503 (c) "Prospectus Summary, Risk Factors, and Ratio of Earnings to Fixed Charges". Basically, you need to discuss what makes investment in the offering speculative or risky. For example:
- Your lack of an operating history;
- Your lack of profitable operations in recent periods;
- Your financial position;
- Your business or proposed business; or
- The lack of a market for your common equity securities or securities convertible into or exercisable for common equity securities.
Some of the factors spelled out in the SEC brief which could trigger the reporting of cyber risks for registrants include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
While there's a lot more work ahead before this guidance becomes anything more than voluntary, it's an important first step. C-suite executies who want to stay ahead of the regulatory curve should be paying attention to this announcement.