SEC Issues Disclosure Guidance on Cybersecurity Reporting Considerations

Published on: 17 Oct 2011

Last Thursday, the SEC's Division of Corporation Finance issued guidance highlighting its views on disclosure considerations related to cybersecurity risks and cyber incidents. Registrants’ focus on cybersecurity has increased recently because of greater dependence on technology used to conduct daily business operations. The SEC issued the guidance to help entities and members of the legal and accounting professions better understand how risks to registrants associated with cybersecurity should be considered in connection with the disclosure framework required by federal securities laws.

Noting that cyber incidents could be unintentional or could result from deliberate attacks, the SEC staff clarified that it would consider cyber-related risks similarly to other business risks. Further, the SEC staff indicated that it is “mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a ‘roadmap’ . . . — [and that] disclosures of that nature are not required under the federal securities laws.” In examining the requirements under current federal securities laws, the SEC staff determined that registrants should consider providing specific cybersecurity risk and cyber incident disclosures in their (1) risk factors, (2) MD&A, (3) description of the entity’s business, (4) legal proceedings, (5) financial statements, and (6) disclosure controls and procedures as follows:

  • Risk factors — An entity should assess whether risks associated with cybersecurity or cyber incidents are among its more significant risk factors by considering (1) “prior cyber incidents and the severity and frequency of such incidents,” (2) probability of a cyber incident occurring and the magnitude and costs/loss associated with the incidents, (3) “known or threatened cyber incidents,” (4) industry-specific cybersecurity risks, and (5) preventative actions in place to mitigate cybersecutity risks. In considering these factors, a registrant should avoid “boilerplate” disclosure by following the requirements in Regulation S-K, Item 503(c), and should disclose risks that are specific to its facts and circumstances.
  • MD&A — An entity should disclose cybersecurity risks and cyber incidents or potential risks or incidents that represent a material event, trend, or uncertainty that is likely to have a material impact on operations, liquidity, or financial condition.
  • Description of business — An entity should consider the impact of material cyber incidents on its products, services, customer and supplier relationships, and competitive position and disclose such effect on the applicable business segment and product.
  • Legal proceedings — An entity should disclose relevant information on material pending litigation resulting from a cyber incident, including the nature of proceedings and damages sought.
  • Financial statements — An entity should consider the impact of cybersecurity risks and cyber incidents on the application of relevant accounting standards, including but not limited to (1) the accounting treatment of cybersecurity risk mitigation program costs (i.e., capitalization considerations), (2) the effect that a cyber incident has on the valuation of assets (i.e., potential impairment), and (3) the impact of unasserted claims related to cyber incidents (i.e., loss contingency considerations). In addition, the entity should consider the timing of cyber incidents relative to financial statement issuance and determine subsequent disclosure ramifications.
  • Disclosure controls and procedures — Because an entity is required to report on its conclusions about the effectiveness of disclosure controls and procedures, the entity should consider the impact of any cyber incidents on these conclusions and determine whether there are any deficiencies in its disclosure controls and procedures.

Accounting Journal Entries Image

Related Topics

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.