Cybersecurity & Corporate Governance: SEC Releases First-Ever Guidance on Cybersecurity Risks Disclosure

In the fast changing landscape of corporate governance, one of the newest issues to emerge for chief officers and directors to consider is cybersecurity preparedness and monitoring, as well as cyber incident response and (in some cases) reporting. Such cybersecurity governance obligations are two-fold. First, for internal IT systems, that oversight can be conducted as a matter of internal management practice. However, where part of a company's IT infrastructure is provided by third parties (including outsourcing, shared services, inter-company management services, SaaS, or cloud computing) the effective execution of those services must be governed through the related service contract. Indeed, the outsourcing or relegation of the day-to-day operational duties of any IT operation or business process does not discharge the executive officers or the board from their continuing governance duties of oversight and supervision. Since corporate governance duties do not evaporate upon such managed service transactions, the governance obligations previously executed through internal management channels must continue to be supervised by virtue of the contractual rights set out in the relevant services agreement.

The U.S. Securities & Exchange Commission (SEC) has recently made it very clear that the risks and implications of a cybersecurity breach are no exception. In fact, as businesses become more dependent on Internet-based communications and computing resources (including cloud computing), as businesses increasingly internationalize their operations and globally diversify their supply chain, and with the explosion of intelligent infrastructure and “smart” systems, the risk of Cyber theft, sabotage, espionage, and even cyber attack has gained increasing priority for those charged with corporate governance and compliance duties.

Last month, the SEC elevated the issue of cybersecurity risk for publicly traded companies when it issued its first guidance for disclosing cybersecurity risks and incidents (October 13/11 – CF Disclosure Guidance: Topic No. 2). Although the SEC's cybersecurity guidance is not a binding legal or regulatory requirement, the SEC points out that a cyber attack could directly affect the ability of a registrant to comply with many other existing legal and regulatory disclosure and reporting requirements, such as where a cyber attack corrupts or sabotages financial information and reports, or otherwise prevents a registrant's ability to record, process, summarize and report required SEC information.

The SEC's cybersecurity guidance suggests, in part, the following disclosure principles and, to some extent, provides a reminder of existing disclosure obligations as they apply to a cybersecurity context:

1. Registrants should consider the extent to which a number of existing disclosure requirements may require registrants to disclose cybersecurity risks and cyber incidents.
2. Registrants should review, on an ongoing basis, the adequacy of their disclosure processes and materials relating to cybersecurity risks and cyber incidents. Registrants are expected to evaluate their cybersecurity risks and take into account all relevant information.
3. The SEC expects registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.
4. Cyber incident risks should be disclosed if those risks are among the most significant factors that make an investment in the company speculative or risky.
5. Registrants should consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate.
6. Disclosures should avoid generic boilerplate terminology and should be tailored to each registrant's particular cybersecurity circumstance.
7. Cybersecurity risks and cyber incidents may have a broad impact on a registrant's financial statements, depending on the nature and severity of the potential or actual incident. For example, to the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, the nature of (and an estimate of the financial effect of) an incident that constitutes a material unrecognized subsequent event should be disclosed.
8. If any cyber attacks (and perhaps other known cyber risks) have prompted the registrant to materially increase its cybersecurity protection expenditures, the registrant should disclose those expenditures.
9. Pending material legal proceedings related to a cyber incident may require disclosure, such as where a significant amount of customer information is stolen and material litigation is pending as a result.
10. Registrants should consider whether or not any cyber incidents could detrimentally affect the company's ability to record, process, summarize and report required information to the SEC, for example if it is reasonably possible that a cyber incident could affect a registrant's information systems in that manner.