The SEC staff states that its Disclosure Guidance is
"consistent with the relevant disclosure considerations that arise in
connection with any business risk." The disclosure regulations say that
SEC is aware of the fact that detailed cyber disclosure could compromise
cybersecurity issues. In this regard, the SEC rules do not require disclosure
that would compromise a company's cybersecurity. Instead, it states that
companies should "provide sufficient disclosure to allow investors to
appreciate the nature of the risks faced by the particular registrant in a
manner that would not have that consequence."
The Disclosure Guidance concedes that existing SEC
disclosure rules do not openly refer cybersecurity matters but states that such
revelations may still be mandatory under existing SEC rules. Important
information in connection with cybersecurity risks and cyber incidents are
required to be disclosed as and when necessary, to ensure other required
disclosures are not misleading in light of the circumstances under which they
are made.
The cybersecurity disclosure is similar to SEC 2010
interpretative release in accordance with SEC climate change disclosure. The
Disclosure Guidance makes available the SEC staff's thoughts on the application
of existing SEC disclosure rules to cybersecurity matters. Particularly,
the Disclosure Guidance addresses disclosure contemplations appropriate to both
cybersecurity risks and cyber incidents under the following provisions:-
Risk factors
Risk factor disclosed under Item 503 should comprise a discussion
of cybersecurity and cyber incidents if such issues are one of the most
important factors that make an investment in the company perilous or tentative.
The risk factor disclosures of cybersecurity should be made according to the
individual company’s facts and circumstances and should keep away from "boilerplate"
disclosures.
Management's
Discussion and Analysis (MD&A) of Financial Condition and Results of
Operations
Under Item 303, the MD&A should
comprise a discussion of cybersecurity risks and occurrence if cyber incidents
are probably capable of leaving an impact on company's liquidity, results of
operations or financial condition or would cause reported financial information
not to be essentially investigative of future operating result or financial
condition.
Description of
Business
The cyber incidents should be
discussed by the public companies in their Business description if these
incidents significantly impact a company's products and services, relationships
with customers or suppliers, or competitive conditions. The disclosure
should encompass the impact of the cyber incidents on each reportable segment.
Legal
Proceedings
If there is any pending legal proceeding involving a cyber
incident in which the company or any of its subsidiary is a party to the
litigation, companies need to disclose about that legal proceeding.
Financial
Statement Disclosures
Cybersecurity risks and cyber
incidents may have major effects on a company's financial statements.
Companies should make sure that any such impact to financial statements is
accounted for pursuant to applicable accounting guidance.
Disclosure
Controls and Procedures
It may be possible that a cyber event
might disturb the company’s capacity to provide the SEC with the information
necessary to be disclosed on SEC filings; in such case the company may conclude
that its disclosure controls and procedures are futile.
Links
Used:
