In the wake of the cyber attacks experienced by a number of large companies in recent months, including Citi, Google and Sony, the Securities and Exchange Commission’s Division of Corporation Finance provided companies with guidelines last month for disclosing cyber risks and cyber attacks.
Companies should disclose cyber risks and cyber incidents if the information would be important to an investor’s decision about the company, according to the guidance. It goes on to detail the various parts of SEC filings where such information might be included.
Alan Charles Raul, a partner who heads the privacy, data security and information law practice at Sidley Austin, says SEC rules already mandate that companies make such disclosures. “The legal requirements are the existing legal requirements,” Raul says.
“What the guidance helps do is draw attention to an important area that most companies were thinking about already,” he adds, “an area that’s getting a lot of attention in the media and on Capitol Hill.” Raul notes that there are cyber security measures pending or about to be introduced in Congress.
The SEC guidance warns that the agency does not want “generic risk factor disclosure,” but also says companies should not disclose so much that they’re providing instructions to cyber criminals. “Federal securities laws do not require disclosure that itself would compromise a registrant’s cyber security,” the guidance says.
John Reed Stark, a managing director and deputy general counsel at Stroz Friedberg, which provides computer forensics and investigations, says crafting an accurate disclosure regarding a cyber attack could pose a challenge for companies. As cyber criminals become more sophisticated, “the odds of experiencing something completely new are pretty good,” says Stark. “For a company to get their arms around it will take time, and they might get it wrong.”
Stark, a former SEC staffer who was the first chief of the agency’s Office of Internet Enforcement, adds that coming up with an accurate disclosure of a cyber attack or breach is probably low on a company’s to-do list in the wake of such an attack.
“The first thing is to quarantine whatever virus or malware there is, assess it and then begin remediation,” he says. “You don’t think off the top of your head, ‘How do we disclose this?’ cause you’re not even sure what it is until you can get experts in to figure it out.”