Given the ongoing concern among enterprises and the government about cyberattacks and what information should be disclosed following an information security incident, the Division of Corporate Finance of the Securities and Exchange Commission (SEC) in October 2011 issued CF Disclosure Guidance: Topic No.2, which addresses public company reporting requirements involving relevant information for cybersecurity risks and incidents. This tip will explain the new SEC disclosure guidance, to whom it applies, what disclosure information must be provided, and how to provide it to the SEC in a timely fashion.
The SEC cybersecurity disclosure requirements should serve as helpful leverage to convince the organization's technology and compliance leadership to make the investment.
Publicly traded companies registered with the SEC are required to provide reports to all potential investors that disclose information about security risks and associated events. Although Topic No. 2 specifically states there is no official reporting requirement associated with cybersecurity risks, it also states such disclosure of cybersecurity risk information is necessary if such risks have a potential material impact on other reporting requirements. So for the purposes of this tip, let’s assume disclosure of any cybersecurity threat, risk or event by any organization registered with the SEC may be reviewed by SEC examiners.
Another key point is the SEC does not expect registrants to disclose information that might compromise their cybersecurity operations. Rather, the SEC prefers disclosure of cybersecurity information in such a way that investors will be able to understand and thereby appreciate the risks faced by the specific registrant, without the registrant disclosing security-related information, such as specific security products in use or configurations in place, that could be exploited by attackers. In other words, enterprises bound by this rule don't need to explain everything, but there must be an emphasis on plain-language documentation so non-technically savvy regulators and investors can make sense of it.
What do SEC cybersecurity disclosure rules address?
Among the cybersecurity event details the SEC wants disclosed – in addition to summaries of specific events – are the following:
- Discuss which aspects of the registrant’s business/operations pose cybersecurity risks.
- Discuss potential consequences and costs of a cybersecurity breach.
- Discuss how the registrant identifies the functions that may be at risk of a cyberattack and how it addresses those risks.
- Describe cybersecurity incidents that are deemed material to the registrant’s ability to function, the costs and consequences incurred from those events.
- Describe the potential for cybersecurity risks to be undetected for an extended period.
- Discuss use of insurance and other treatments to address cybersecurity risks.
Preparing for SEC cybersecurity disclosure report
SEC registrants must prepare and submit a number of reports to the SEC, such as Form 10-K, Form 10-Q and others. Each has a standard format and reporting structure. Report sections into which cybersecurity disclosure can be provided include the following:
Management’s Discussion and Analysis (MD&A) of Financial Condition and Results of Operations – In this section, the organization describes cybersecurity events that can be shown to have had a material effect on the registrant’s operations, liquidity or financial condition. These can include, for example, theft of critical financial data and loss of intellectual property. Assuming there are material, operational and/or financial effects from such a loss, it must be described in the MD&A, including any consequences of the event, such as incident response, customer outreach, increased investment in cybersecurity protective measures, and expenditures or losses related to those activities.
Description of Business – Registrants should disclose if a cybersecurity threat could materially impact any or all of its products and services, as well as new or planned products and services that could be at risk from a cybersecurity attack. Most organizations should be able to rely on their organizational risk assessment template and documentation to provide this information. If the enterprise hasn't conducted a thorough risk assessment yet, the SEC cybersecurity disclosure requirements should serve as helpful leverage to convince the organization's technology and compliance leadership to make the investment.
Legal Proceedings – If a cybersecurity event results in litigation due to loss of critical customer information or financial data, the registrant must disclose the circumstances surrounding the litigation, including the litigants, the court where proceedings are pending, and the details of the lawsuit. Fostering collaboration between compliance, security and legal teams well in advance of a legal event is a good idea so all stakeholders will be ready to respond to this requirement if necessary.
Financial Statement Disclosures – Registrants that capitalize the funding necessary to increase their cybersecurity protection must disclose this information in their financial statements. Cyber-based losses that result in lawsuits, breaches of contract, product recalls and other situations may affect the assumptions used in preparing financial statements, and should be stated in those assumptions.
Disclosure Controls and Procedures – In situations where a cyberattack disrupts the registrant’s ability to record, process, summarize and report information in its SEC filings, managers must be prepared to look for deficiencies in their information systems that may render their disclosure controls and procedures insufficient.
Reporting cybersecurity events
Typically, an IT security department compiles a variety of information in the course of reporting on a cyberattack. Among the data collected are date/time of occurrence, name of person reporting the event, description of the event, device(s) identifying the event (e.g., intrusion detection system), method(s) of mitigating/eliminating the attack (e.g., shutting down systems, launching antivirus software), duration of the event, equipment and systems (e.g., servers, operating systems) affected, data files (e.g., files, databases, other records) affected, network assets (e.g., switches, routers, software) affected, other company assets affected, post event follow-up required, and the date and/or time the event was closed.
By contrast to the above level of technical and operational detail, the material, financial, operational and reputational impact of a cybersecurity event may need to be determined by other company professionals. Data from information security department reports can be used to prepare such analyses.
For most public companies, compliance with any SEC requirement, including the cybersecurity disclosure rules, will be managed by the office of the CFO and the compliance team; information security teams should be prepared to play an important role in support of compliance with Topic No. 2. While inclusion of all the technical details noted above will not be necessary for SEC reporting, availability of such reports – and the analyses developed from them – will be critical in preparing disclosure reports for SEC filings.
About the author:
Paul Kirvan, FBCI, CISA, is an independent consultant with more than 30 years experience in business continuity, disaster recovery, IT/telecommunications, enterprise risk management (ERM) and governance, risk and compliance (GRC) issues.