Security and Exchange Commission – Statement and Guidance on Public Company Cybersecurity Disclosures

Definition

The U.S. Computer Emergency Readiness Team defines cybersecurity as “[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.

Why this Announcement

Cybersecurity risks pose grave threats to investors, our capital markets, and our country. Companies that fall victim to successful cyber-attacks or experience other cybersecurity incidents may incur substantial costs and suffer other negative consequences.

Rationale

Disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. Disclosure regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.

What the SEC Expects

The company’s financial reporting and control system are expected to provide reasonable assurance that information about the range and magnitude of the financial impacts of cybersecurity incidents and risks are disclosed, such as:

  • Remediation costs
  • Increased cybersecurity protection costs
  • Lost Revenue
  • Litigation and legal risks
  • Increased insurance premiums
  • Reputational damage
  • Damage to competitiveness, stock price, and long-term shareholder value

How is this Accomplished

Companies are expected to maintain comprehensive policies and procedures related to cybersecurity risks and incidents, which must include appropriate and effective disclosure controls and procedures to make accurate and timely disclosures of cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences, and to avoid generic cybersecurity-related disclosure.  Cybersecurity risk factor disclosure may include:

  • prior cybersecurity incidents, including their severity and frequency
  • the probability of the occurrence and potential magnitude of cybersecurity incidents
  • adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs
  • aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks
  • costs associated with maintaining cybersecurity protections, including any applicable insurance coverage
  • potential for reputational harm
  • litigation, regulatory investigation, and remediation costs

Policies and Procedures

Companies are expected to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly. They must ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications.

How the Security Program Supports this Expectation

An organization must at least have a plan for their security program, ideally evolved to a security management system. Components of the management system should include management of risk, policy , assessments and incidents, which each play a part in meeting SEC expectations. It is key that the security program leader is the senior manager guiding disclosure decisions and certifications through the Chief Executive Officer.

References

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s