The Securities and Exchange Commission’s Disclosure Guidance on Cybersecurity, issued on October 13, is another big step towards the widespread realization that for many organizations, IT and the business are one. More and more critical business processes are dependent on hardware and software and today a company’s worth is just as likely to be based on its intellectual property as its physical assets. Much of that intellectual property is under the trust of IT and can be stolen in a cyberattack.
Take a glance and the disclosure guidance may not seem that important at first, since it contains no new rules or regulations. Read it carefully and you’ll see that the SEC is sending a clear message that publicly traded companies can no longer pretend cyber attacks and vulnerabilities are immaterial to the business.
The guidance spells out several existing business disclosure requirements that should take cybersecurity into account:
Risk Factors Companies should disclose the risk of cybersecurity incidents if they are “among the most significant factors that make an investment in the company speculative or risky.” Disclosures may include the frequency and nature of prior incidents, the probability of future cyber incidents, all the potential costs and other consequences resulting from attacks, and even the adequacy of business’s current preventive actions. The guidance is pretty thorough, even spelling out less tangible financial costs of an attack that should be taken into account, such as lost revenue from unauthorized use of proprietary information, reputational damage, litigation, and failure to retain or attract customers.
Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) Companies should address cybersecurity risks and incidents if the cost or other consequences are likely to have a material effect on results of operations, liquidity or financial condition. Companies may be expected to describe the effects of an actual attack and the actual property that was stolen, as well as whether the impact changes the validity of already reported financial information.
Description of the Business Cybersecurity incidents should be reported if they materially affect a company’s products, services, customer or supplier relationships, or competitive position.
Legal Proceedings Companies should disclose the details of litigation resulting from cyber attacks, such as that resulting from theft of customer information.
Financial Statement Disclosures Companies should carefully consider whether cyber risks and incidents have a broad impact on their financial statements. Some things to take into account include the costs of preventing attacks, customer incentives after attacks, and losses from warranties, breaches of contract, and product recalls or replacement.
Disclosure Controls and Procedures Companies should disclose the impact of incidents on their ability to record, process, summarize, and report information required in SEC filings, if it’s significant, and consider whether existing disclosure controls and procedures have been rendered ineffective.
If you work for a public company you should take this guidance seriously. It’s likely that publicly traded companies will be expected to start reevaluating their cybersecurity practices and audits and become more proactive about disclosing cybersecurity vulnerabilities and attacks. If you haven’t yet incorporated IT security experts in your Risk Management teams, it’s probably time to start thinking about doing so. Even if there are no new regulations here, it’s likely that after a damaging cyber attack, questions will come up about adherence to the SEC’s guidance. You can also bet this is just the beginning of a progression of new legislation and regulatory action addressing the issue of cybersecurity’s impact on the business.