During the primetime of the 2017 10K filing season, the SEC issued additional guidance and expectations for cybersecurity disclosures. Cyber has been a hot topic for the SEC in the last several years. The financial impact to companies to prevent and then respond to a breach cannot be overstated.
The SEC took a wider view of the issue in its introduction to the interpretation, stating “Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the U.S. economy depend on the security and reliability of information and communications technology, systems and networks.” Cyber threats put at risk both publicly traded companies as well as the underpinning of our capital markets.
The new guidance reinforces the need for cybersecurity disclosures and expands the existing 2011 staff guidance. The two new requirements include:
Most organizations should expect to expand on cybersecurity disclosures in future filings. Areas to consider including cyber disclosures include: risk factors, description of business, MD&A, legal proceedings, financial statement disclosures.
Many regulated entities (such as financial institutions, telecom and healthcare) or larger companies may already have risk management processes in place that address cyber risks. For these entities, the additional requirements should include confirming the disclosure controls and processes are operating as intended and considering the additional disclosure requirements for future filings.
For those entities which may have a less robust risk management approach regarding cyber, we suggest the following:
The new SEC guidance is just the next step down a path of increased scrutiny and expectation from regulators on cyber risks. Starting today can increase transparency with your Board and shareholder and reduce regulatory burden in the future.