Blogs

GUEST BLOG: New SEC disclosure guidance about cyber security risks

10.28.11

GUEST BLOG FROM JIM BRASHEAR

I welcome Jim Brashear as a Guest Blogger with his blog concerning cyber security risks. Jim is Vice President, General Counsel and Corporate Secretary of Nasdaq- traded Zix Corporation, the market leader in email encryption services. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. You may want to follow him on Twitter. I’m sure we will see more Guest Blogs from him in the future. 

New SEC disclosure guidance about cyber security risks

The SEC recently issued new disclosure guidance about cyber security risks. In summary, the SEC is directing public companies to review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents. The disclosure guidance does not create new standards, but reminds public companies of existing disclosure requirements that may apply to cyber security risks and cyber incidents.

The bottom line is that this guidance should cause public companies, including their senior management and boards of directors, to give more attention to assessing cyber security as part of their enterprise risk assessments, because a discussion of cyber security risks and cyber incidents may become expected in public company financial disclosure. It should also prompt public companies to include these issues in their disclosure controls processes.

The SEC provides more specific guidance about disclosure in six areas of public company financial reports: Risk Factors, Management’s Discussion and Analysis (MD&A), Business Description, Legal Proceedings, Financial Statement Disclosure, and Disclosure Controls and Procedures.

On the latter point, public companies will need to assess and disclose conclusions about the impact of cyber security risks and cyber security incidents on the effectiveness of the organization’s controls over financial disclosure, including whether there are any deficiencies that would render those controls ineffective. Additionally, public companies should supplement their disclosure controls checklists, so that their disclosure controls processes will include consideration of possible disclosure about cyber risks and cyber incidents.

Companies are not required to disclose any or all of the issues that are identified for consideration and discussion by their disclosure controls committees. In fact, the SEC recognizes that detailed disclosures of these issues could increase the cyber risks. The organization may have concerns about what personnel can be involved in IT security discussions or receive any report about those issues, based on individual security clearances, etc. The process might, therefore, require that those discussions occur in a smaller group.

The list of questions below is intended to (a) prompt a discussion in the disclosure committee of any meaningful changes in the company’s cyber risk profile and whether additional disclosure (or other action) is warranted, and (b) create a written record that management thoughtfully considered the principal data security and privacy risks facing the company in order to determine whether additional disclosure (or other action) is warranted.

1.         Any significant change to the nature or level of cyber security risks facing the company or affecting the company’s services to customers [such as any meaningful increase in actual or threatened penetration attempts, spear phishing or other advanced persistent threats (APT), or denial of service (DOS) attacks]

2.         Any significant cyber incident [such as malware embedded in any company system which may have exposed or compromised any of the company’s confidential or proprietary information, or the transmission or other exposure via the internet of unencrypted personal information of any customer, employee or other individual]

3.         Any significant cyber security risk deficiency that was identified in any review or audit of the company’s information security or data privacy practices

4.         Any significant change to the company’s expenses or capital costs of mitigating cyber security risks, such as an increase in cyber risk insurance premiums or services purchased to avoid system penetration

5.         Any significant change in the company’s ability to promptly respond to, and promptly resume operations after, a cyber incident or damage or loss of power to the company’s principal data center or any other systems important to maintaining operations

The publications contained in this site do not constitute legal advice. Legal advice can only be given with knowledge of the client's specific facts. By putting these publications on our website we do not intend to create a lawyer-client relationship with the user. Materials may not reflect the most current legal developments, verdicts or settlements. This information should in no way be taken as an indication of future results.

Search Tips:

You may use the wildcard symbol (*) as a root expander.  A search for "anti*" will find not only "anti", but also "anti-trust", "antique", etc.

Entering two terms together in a search field will behave as though an "OR" is being used.  For example, entering "Antique Motorcars" as a Client Name search will find results with either word in the Client Name.

Operators

AND and OR may be used in a search.  Note: they must be capitalized, e.g., "Project AND Finance." 

The + and - sign operators may be used.  The + sign indicates that the term immediately following is required, while the - sign indicates to omit results that contain that term. E.g., "+real -estate" says results must have "real" but not "estate".

To perform an exact phrase search, surround your search phrase with quotation marks.  For example, "Project Finance".

Searches are not case sensitive.

back to top