On October 13, 2011, the Securities and Exchange Commission (SEC) issued disclosure guidance for cyber risks. The guidance is available at http://www.sec.gov/divisions/corpfin/guidance/ cfguidance-topic2.htm. The guidance changes the cyber security game for companies and their directors and officers. Do not take my word for it. No less than the Chairman of the U.S. Senate’s Commerce Committee has said that the new guidance issued by the SEC “fundamentally changes the way companies will address cyber security in the 21st century.”
The purpose of the guidance is to alert companies to types of cyber risks and events that should be disclosed to investors in a company’s public filings. To assess what must be told to investors, the SEC states that a company must disclose cyber risks if they “are among the most significant factors that make an investment in the company speculative or risky.”
Disclosures of cyber risks must be specific to the company’s business. The SEC cautions against providing generic disclosures that could apply to any business. That said, the SEC is conscious of the possibility that detailed disclosures could be used as a roadmap by someone who wants to harm the company. Companies are not required to provide a level of detail that would enable such harm.
While the SEC does not offer a “one-size-fits-all” list of matters that every business must disclose, it lists the following matters that should be applicable to many companies:
* Aspects of the business that could give rise to cyber security risks.
* The extent to which a company outsources functions that have material cyber security risks.
* A description of prior cyber security events the company has experienced, including their cost and other consequences.
* Cyber security risks that may remain undetected for a long time.
* Potential costs and consequences of cyber risks.
* Relevant insurance coverage purchased by the company to address its exposures.
The SEC’s guidance is not binding. That may sound like good news, but the standards in the guidance are likely to be used by the SEC and shareholders as a baseline to assess compliance with disclosure requirements in the securities laws. Investors in private companies can be expected to do likewise.
If you are a “glass-half-full” person, you might see the guidance as a sound analytical framework to evaluate and disclose cyber risks. Someone with a “glass-half-empty” outlook may see the guidance as a brush and bucket of red paint that directors and officers can use to paint targets on themselves. Both views are justified.
The guidance undeniably is helpful because it takes the guesswork out of deciding what must be disclosed to investors. The guidance is detailed enough though that it could enable shareholders and the lawyers who represent them to allege that necessary disclosures were not made, or that existing disclosures were not adequate. This could lead to more lawsuits against directors and officers.
What Should Companies Do?
* Assure that appropriate disclosures of cyber risks and cyber events are being made.
* Prepare for much deeper inquiries by D&O insurance underwriters.
*Review options for insuring losses resulting from cyber events.
An expanded discussion of the SEC’s cyber security guidance and the steps companies should take in response can be found in a Lockton white paper available at http://www.lockton.com/Resource_/PageResource/MKT/Cyber%20 Guidance%20revised.pdf.