A new guidance document from the Securities and Exchange Commission may cause some companies to rethink their approach when disclosing cybersecurity risks.
The SEC’s Division of Corporate Finance issued the guidance document, which is not a new regulation, to offer guidance on how existing disclosure obligations apply to cybersecurity risks. Since many companies are relying heavily on digital technology to conduct business, the guidance document could prove to play a key role in the future of disclosures.
Too many details online could create a roadmap for those who wish to do harm, but not enough disclosure and a company may not be in compliance with other required disclosures. There are no SEC disclosure requirements that specifically refer to cybersecurity.
The guidance document suggests disclosing risks of cyber incidents if they are among the factors that make investing in the company risky. If a company has a history of cybersecurity breaches and it is likely that they will continue, then an evaluation of what the company is doing to prevent those attacks would be valuable. As with all risk disclosures, an appropriate disclosure of cybersecurity risks should include an analysis of outsourced functions that put the company at risk, a list of issues and how they are addressed and resolved and a description of insurance coverage.
The document also warns against boilerplate disclosures and encourages detail. It is important to reiterate that the guidance document is only a guide and does not represent any new official requirements.