Blog

On October 13^th the Corporate Finance division of the Securities and Exchange Commission (SEC) quietly released a document, CF Disclosure Guidance: Topic No. 2[1], on the web that has the potential to make a major impact on the way that corporations look at cyber-security.

Although the document is not a rule, it is guidance; it can be, and in many cases it is, argued in a court of law that failure to follow guidance may result in liability.

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.

While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant's cybersecurity.

The premise of the document is that investors have the right to know the risk associated with investing in a company. If the company is the subject of a significant cyber-incident, internal or external, then the investors should be made aware of the facts so that they may properly evaluate the risk associated with investing in the company. At the moment some companies tend to hide cyber-incidents and therefore are denying investors full disclosure of risk.

What this means for example is that if a company is attacked you must disclose it. Unless disclosing it will further compromise the company (at this point I can see the lawyers lining up for a food fest).

Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

If one or more cyber incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's “Description of Business.”⁷ In determining whether to include disclosure, registrants should consider the impact on each of their reportable segments.

As an example, if information related to a business transaction was stolen and access to the information enabled a third party to undercut a deal then the shareholders have lost value as a result of the theft. Failure to disclose this could result in shareholder lawsuits.

Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant's ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.

I see this document as providing a wake-up call to the boards of public companies that they need to take cyber-security seriously. This in turn is going to focus C-level management on the topic, and it will trickle down from there

With the release of this document the SEC has taken concern for cyber-security out of the IT realm and placed it firmly in the financial realm. It is now no longer an issue of technology; it has become one of liability and compliance.

How long will it be before we see a section on cyber-security in the Annual Report?

The key from a Dexa Systems perspective is that cyber-security is a key component of the framework that is used to develop prioritised IT infrastructure strategies for the corporation.