New SEC Guidance on Cybersecurity

In October 2011, the Securities and Exchange Commission's (SEC) Division of Corporation Finance issued guidance on disclosure obligations relating to cybersecurity risks and cyber incidents.The new guidance, which is effective immediately, will have potentially far-reaching impacts on publicly listed companies.

The guidance then explains that even though no rules explicitly address this topic, cyber incidents and the risk of such incidents may nevertheless give rise to disclosure obligations under current SEC rules. In light of the damage that a cyber incident can cause as well as existing obligations to disclose information that a "reasonable investor would consider important to an investment decision," registrants may be required to provide information that allows investors to understand the nature of a company's particular cybersecurity risks. Moreover, registrants may also need to disclose material information regarding specific cybersecurity risks and cyber incidents when such information is necessary to "make other required disclosures, in light of the circumstances under which they are made, not misleading."

The SEC provides specific guidance about disclosure in six areas of public company financial reports: Risk Factors, Management's Discussion and Analysis (MD&A), Business Description, Legal Proceedings, Financial Statement Disclosure, and Disclosure Controls and Procedures. The disclosure guidleines can be found here.

In summary, the SEC is directing public companies to review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents.