The SEC Focuses on Cyber Security and Related Disclosure Requirements
Over the course of the last several years, corporations have faced the threat of cyber risk and the occurrence of cyber security incidents with more and more frequency. As a result, public companies have begun to report cyber risks and cyber incidents in their public filings, but the specifics of what should be disclosed has been predominately left for each individual company to decide.
The SEC's Division of Corporation Finance has now put out guidance on what should be included in disclosures concerning cyber security risks and incidents. While this guidance does not have the effect of law, it is a strong indication of how the SEC will proceed internally and what is expected in a public company's reporting. The theory behind the guidance is that the federal securities laws are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. With those thoughts in mind, the SEC guidance is intended to help inform registrants as to what should be disclosed so that an investor can make an informed decision.
I. Cyber Risk Disclosure Requirements
1. Cyber Risk Factors – Cyber security risk disclosure must adequately describe the nature of the material risks and specify how each risk affects the registrant. These risks should be specific to the registrant's business and not generic in nature. Items requiring disclosure include past security incidents, the probability for future incidents and their potential impact on both the business's finances and reputation. This can include everything from the cost of repairing customer confidence to increased insurance costs. In addition, if the company outsources certain functions, any risks presented by that outsourcing and how the company is addressing them should be disclosed. There is, however, no duty to disclose a formal cyber security plan or road map that could potentially compromise the registrant's security.
2. Management's Discussions and Analysis of Financial Condition and Results of Operations (MD&A) – The MD&A is designed to give a reader of a registrant's financial statements a narrative from the perspective of management on the company's financial condition, results of operations, liquidity and certain other factors that may affect future results. In that regard, if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, then such facts should be disclosed in the MD&A.
3. Description of Business – If one or more cyber incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's "Description of Business."
4. Legal Proceedings – If the registrant is involved in a legal proceeding or if there is a pending legal proceeding related to a cyber security risk or incident, then this information should be included in the "Legal Proceedings" disclosure.
5. Accounting Costs – These are several costs that must be recorded as notified in the FASB Accounting Standards Codification (ASC).
a. Cyber security Prevention Software (ASC 350-40: Internal Use Software) – Report the costs of software used to prevent cyber security incidents.
b. Incentives to Maintain the Business Relationship (ASC 605-50: Customer Payments and Incentives) – Report on costs spent to repair damaged business relationships after a cyber security incident.
c. Losses from Asserted and Unasserted Claims (ASC 450-20: Loss Contingencies) – Report on losses related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts.
d. Diminished Future Cash Flows (ASC 275-10: Risks and Uncertainties) – Cyber incidents may result diminished future cash flows in relation to both tangible and intangible assets. In the event that the exact loss is not known, Registrants may still be required to develop estimates to account for the various financial implications. Examples of estimates that may be affected included warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue.
e. Cyber Incident after the Balance Sheet Date (ASC 855-10: Subsequent Event) – Report on a cyber security incident that occurs after the balance sheet date as a subsequent event.
6. Controls and Procedures – Registrants are required to disclose cyber incident risk as it relates to a registrant's ability to record, process, summarize, and report information for SEC filings.
II. Cyber Risk Disclosure in Practice
While this SEC guidance is new, there is already an established history of reporting on cyber security risks and incidents.
In 2007, TJX Companies Inc., a retailer, suffered a data breach in which approximately 94,000,000 credit card and transactional records were compromised. TJX reported on the incident in their 10-K filings, but the references to the data breach were limited. It was only mentioned in the introduction to the filing, identified as a Risk Factor, and identified as a Legal Proceeding.
Another example is the 2009 data breach of Heartland Payment Systems (HPS) in which the credit card processor had its database hacked and approximately 130,000,000 records were compromised. Similar to TJX, HPS reported the cyber security incident in their 2010 10-K filings as a "processing system intrusion." However, in contrast to TJX, the HPS cyber security incident was addressed at length where it was identified 245 times within the annual report including on the income statement, balance sheet, statement of cash flows, and throughout the support documents.
The contrast in reporting between the 2007 TJX incident and the 2009 HPS incident is illustrative of the new, enhanced reporting requirements. By reference to both the recent SEC guidance and the practical reporting history, it is becoming evident that a new, stricter reporting requirement is now in force for cyber security risks and incidents. Companies addressing security breaches must now be sure that their corporate compliance and securities counsel are considering the effects and remediation of security breaches and risks. This is, of course, in addition to directly addressing such concerns with the company's information technology and privacy counsel as well as their general information technology group.
 - Cybersecurity is the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access. See Whatis?com, available at whatis.techtarget.com/definition/cybersecurity.html (visited December 15, 2011). See also Merriam-Webster.com, available at merriam-webster.com/dictionary/cybersecurity (visited December 15, 2011).
 - See CF Disclosure Guidance: Topic No. 2 Cybersecurity, sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (issued October 13, 2011).
 - See Securities Act of 1933, 15 U.S.C. § 77a; Securities Act of 1934, 15 U.S.C. § 78a.
 - See Item 503(c) of Regulation S-K.
 - See Item 101 of Regulation S-K; and Form 20-F, Item 4.B.
 - See Item 103 of Regulation S-K.
 - See FASB Accounting Standards Codification, available at asc.fasb.org/help&cid=1175804733759 (visited December 15, 2011).
 - See Item 307 of Regulation S-K; and Form 20-F, Item 15(a).
 - See Dataloss DB, datalossdb.org/incidents/548-hack-exposes-94-million-credit-card-numbers-and-transaction-details (visited December 15, 2011).
 - See Dataloss DB, datalossdb.org/incidents/1518-malicious-software-hack-compromises-unknown-number-of-credit-cards-at-fifth-largest-credit-card-processor (issued March 10, 2011).
 - See Heartland Payment Systems 2010 10-K Report, available at snl.com/IRWebLinkX/file.aspx?IID=4094417&FID=10884340&O=3&OSID=9 (visited December 15, 2011).
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2011 White & Case LLP