In February 2018 the SEC outlined its views with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public reporting companies. Set forth below is a checklist of items included in the release that may trigger specific cybersecurity disclosures.
- Risk Factors: Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the company’s securities speculative or risky. Companies should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among such factors, including risks that arise in connection with acquisitions. In meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.
- MD&A of Financial Condition and Results of Operations: Item 303 of Regulation S-K and Item 5 of Form 20-F require a company to discuss its financial condition, changes in financial condition, and results of operations. In this context, the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents (including, but not limited to, immediate costs of the incident, engaging in remediation efforts, and addressing harm to reputation), and the risks of potential cybersecurity incidents, among other matters, could inform a company’s analysis.
- Description of Business: Item 101 of Regulation S-K and Item 4.B of Form 20-F require companies to discuss their products, services, relationships with customers and suppliers, and competitive conditions. If cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company must provide appropriate disclosure.
- Legal Proceedings: Item 103 of Regulation S-K requires companies to disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. This requirement includes any such proceedings that relate to cybersecurity issues.
- Financial Statement Disclosures: The Commission expects that a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.
- Board Risk Oversight: Item 407(h) of Regulation S-K and Item 7 of Schedule 14A require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, the SEC believes this discussion should include the nature of the board’s role in overseeing the management of that risk including disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues.
- Disclosure Controls and Procedures: Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
- Certifications. Exchange Act Rules 13a-14 and 15d-14 require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures, and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures. These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.
As emphasized in the SEC’s guidance, the materiality of cybersecurity risks or incidents remains the primary guidepost for disclosure. In this context, issuers must assess the nature, extent, and potential magnitude of risks and incidents, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause to, for example, a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.