The U.S. Securities and Exchange Commission released guidelines to help companies determine when and what information on security breaches should be disclosed to potential investors.
By Hillary O’Rourke, Contributor
The U.S. Securities and Exchange Commission released guidelines last week that aid public companies in deciding when and what should be disclosed to investors regarding even the potential of security breaches.
The initiative by SEC’s Division of Corporation Finance intends for companies to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the guidelines.
In the statement, the SEC explains that it would like to see a discussion of possible security risks and what the consequences of those risks entail, how the company plans to counteract possible attacks, descriptions of previous attacks, what would happen if an attack went undetected for a period of time and insurance details.
To determine whether they must disclose information, a company should “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”
“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur,” said the guidelines. Instead, the company should discuss the possibility of the attack occurring again and the previous as well as potential consequences that the company could experience.
According to the release, it is not intended to be a rule or a regulation and it’s “neither approved nor disapproved” by the Commission. It’s simply a “roadmap” for those who seek guidance in security efforts in a time of an augmented number of cyber incidents.
From the SEC risk factor disclosures should include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.