What do Uber, Equifax, and Target have in common? All were subjects of data breaches that compromised corporate records with resulting damage to the companies and account holders. The problems caused by a data breach are often compounded when the breach is not disclosed in a timely fashion. For example, hackers were able to obtain personal information on millions of Uber users and hundreds of thousands of drivers in 2016, but the data breach was not disclosed until a year later – and not until after Uber had paid the hackers $100,000 to destroy the data … while having no way to verify that the data was actually destroyed. What should companies be disclosing about cybersecurity risks and incidents?
This column reviews recent guidance provided by the Securities and Exchange Commission (SEC). Although the SEC guidance only applies to publicly traded companies, it serves as a reminder that in our interconnected world, all business entities are exposed to cybersecurity risk. All companies need to assess their cybersecurity risk management policies and develop procedures for responding to cybersecurity incidents.
In 2011, the SEC’s Division of Corporation Finance issued a report on the disclosure obligations related to cybersecurity risks and incidents. However, given the increasing number of cybersecurity incidents and the potential impacts of data breaches, the SEC issued new interpretive guidance on Feb. 21, 2018. The new guidance is consistent with the 2011 report, but it focuses on two dimensions of securities laws – disclosure controls and procedures and insider trading policies.1
In the words of Jay Clayton, SEC chair, “Companies increasingly rely on and are exposed to digital technology as they conduct their business operations and engage with their customers, business partners, and other constituencies. This reliance on and exposure to our digitally connected world presents ongoing risks and threats of cybersecurity incidents for all companies, including public companies regulated by the commission [SEC]. Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”2
The guidance discusses the importance of cybersecurity policies and the application of insider-trading prohibitions in the context of cybersecurity. Companies must establish and maintain effective disclosure controls and procedures in order to make timely disclosures of material events related to cybersecurity. The guidance also includes a reminder that corporate insiders must comply with laws related to insider trading in connection with information about cybersecurity risks and incidents. Companies are encouraged to review their code of ethics and insider-trading policies to ensure that they incorporate material, nonpublic information related to cybersecurity.
– A number of SEC disclosure requirements apply to cybersecurity risks and incidents, even though they are not specifically directed toward cybersecurity. How do companies determine the potential materiality of cybersecurity risks or the importance of compromised information when an incident occurs? There is a range of potential damages from a cybersecurity incident, including damage to a company’s reputation, financial performance, and customer relations. Litigation and regulatory actions are also possible.
– Companies should make timely disclosures of material cybersecurity risks and incidents including potential consequences. Internal and external investigations of incidents can be lengthy, but an ongoing investigation is not sufficient justification of delaying disclosure. Sometimes a data breach may be more extensive than initially thought. The SEC guidance includes a reminder to companies that previous disclosures may need to be revisited as additional information becomes available during an incident investigation.
Avoid generic disclosures
– Although companies are expected to provide company-specific information, they are not expected to disclose specific information about their cybersecurity systems that might make them more vulnerable to a cybersecurity attack.
Specific Disclosure Guidance
– The guidance provides a list of issues for companies to consider when evaluating cybersecurity risk, including occurrence of prior cybersecurity incidents, adequacy of actions taken to reduce cybersecurity risks, risks associated with third-party supplies, and costs of cybersecurity protections. If a company experienced a prior or ongoing cybersecurity incident, that might need to be referenced in the disclosure to provide context for a broader discussion of potential risks.
Management discussion and analysis
– Companies are required to discuss financial condition, changes in financial condition, and results of operations. The costs of cybersecurity efforts, risks of potential incidents, and the consequences of actual incidents are disclosures that contribute to the analysis.
Description of a business
– Cybersecurity risks and incidents could affect any of the items discussed in the description of a business, including products, services, relationships with customers and suppliers, and competitive conditions. There should be disclosure of any material effects from cybersecurity.
– This would include any legal proceedings related to cybersecurity issues.
Financial statement disclosures
– The guidance provides a number of examples of the ways in which a cybersecurity incident might affect a company’s financial statements, including expenses related to the investigation, loss of revenue, warranty claims, and impairment of intellectual property. Information about the range and magnitude of the financial impact of cybersecurity incidents should be incorporated into the financial statements.
Board risk oversight
– If cybersecurity risks are material to the company’s operations, the discussion of the board’s role in risk management oversight should include its role in oversight of cybersecurity risk management.
The risk to cybersecurity is real for all companies, publicly traded giants down to sole proprietorships. All businesses need to evaluate their cybersecurity risk management policies and develop an appropriate set of procedures to respond to any incidents.
1 The complete Commission Statement and Guidance on Public Company Cybersecurity Disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf
Mary Jeanne Welsh, CPA, PhD, is a professor of accounting at La Salle University in Philadelphia and is a member of the
Pennsylvania CPA Journal Editorial Board. She can be reached at firstname.lastname@example.org.