The SEC’s division of corporation finance staff has sharpened its focus on disclosure of cybersecurity risks and cyber-attacks in registration statements and periodic reports over the past few years. The staff has elicited more extensive disclosure on these matters through two primary approaches.
In one approach involving companies in select industries such as retail (brick-and-mortar and online), healthcare and other consumer-facing businesses possessing personal information, the SEC staff frequently notes it is generally reported in the media that companies in these industries have been the target of cyber-attacks. The staff then issues a comment to the registrant to provide a separate discussion of the risks posed to the registrant’s operations from its dependence on technology or to the registrant’s business, operations or reputation by cyber-attacks, regardless of the registrant’s existing disclosure.
In a second approach of the staff involving companies that include a boilerplate cybersecurity risk factor in their filings (as many public companies do), the staff asks companies to provide “proper context” to their risk factor disclosure by asking whether the registrant has experienced a cyber breach.
If the response is affirmative, the staff may then seek to determine if any preventative measures have been taken to reduce the risks of future cyber-attacks and if the costs associated with any preventative measures taken by the registrant are reasonably likely to have a material effect on its results of operations, liquidity and financial condition. If so, disclosure would need to be added to “Management’s Discussion and Analysis of Financial Condition and Results of Operations – Liquidity and Capital Resources” and the notes of the financial statements in the registrant’s next periodic filings with the SEC. The staff has provided guidance in this regard in the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 (October 13, 2011).
In each of these instances, the staff regularly asks the registrant to confirm that it will disclose any cyber-attack in its SEC filings in the future.
To avoid future SEC comments, cybersecurity risk factors in a registrant’s annual report on Form 10-K and other public filings should address each of the staff’s two approaches.
PartnerArmed with more than three decades of capital market experience, Spencer represents smaller publicly traded companies, and often underwriters and investment funds, in public and private securities offerings. He focuses ...