Select Page

Division of Corporation Finance at Securities and Exchange Commission has released guidance on reporting the cyber security risks and cyber incidents. This has come after the realization of the SEC that a cyber security incident can have a direct impact on the shareholder value of the company. This move by the SEC indicates that it is time for businesses to consider information security incidents as a business or operational incident which can have direct impact on the costs and thus profitability of an organization

    The objectives of cyber attacks vary widely and may include theft of financial assets, intellectual property, or other sensitive information belonging to registrants, their customers, or other business partners. Cyber attacks may also be directed at disrupting the operations of registrants or their business partners. Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;

  • Increased cyber security protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;

  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;

  • Litigation; and

  • Reputational damage adversely affecting customer or investor confidence

  • The above excerpt from the guidance gives a number of high level impacts of a cyber security breach.

    The following sections provide an overview of specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents.

  • Risk Factors – Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
  • Management.s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)

If material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition

  • Description of Business

If a registrant has a new product in development and learns of a cyber incident that could materially impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.

  • Legal Proceedings
  • If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its .Legal Proceedings. disclosure

  • Financial Statement Disclosures

Cybersecurity risks and cyber incidents may have a broad impact on a registrant.s financial statements, depending on the nature and severity of the potential or actual incident.

  • Disclosure Controls and Procedures

  • Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant.s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.

    To summarize, the cyber security incidents are becoming part of business strategy and is a deciding factor in the costs of an organization. Any information security incident can have a direct impact in the organizations profitability and it should be notified to the shareholders as it could have a direct impact on the shareholder value.

    Read the full SEC Guidance here.