Recently, the Securities and Exchange Commission (“SEC”) released a guidance report for publicly traded companies on how they should disclose cyber-related risks in their quarterly and annual filings. While the guidance report is only a list of suggested best practice disclosures, it is not intended to be compulsory for public companies. However, the suggestions may cause some corporations to re-evaluate how they secure mission-critical data, and the processes they go through to disclose those practices. Some of the more notable recommendations include:
- Adequate Insurance Coverage Based on Threat Assessment. The guidance report recommends detailing the cyber-risks relevant to the business operations of the corporation, and ensure that adequate insurance policies cover those particular risks.
- Report Cyber-Attacks that are Material to Corporate Valuation. The guidance report requires that corporations disclose cyber-attacks whereby such attacks are likely to cause a material adverse effect on the corporations overall valuation.
- Corporate Responsibility. The guidance report suggests that corporations provide their clientele/customers with “incentives” to maintain its good will in a post-breach, post-attack, scenario. While it is customary to offer complementary credit-monitoring in the event of a breach, the guidance report suggests that corporations go beyond the normal response mechanisms, and offer additional benefits to the victims.
- Legal Proceedings and Financial Statement Disclosures. Any material pending legal proceedings, or, depending on the nature and severity of the cyber-related incident, any sort of broad financial impact on the corporations’ financial viability, must be disclosed in the quarterly and annual reports filed with the SEC.
- Disclosure of Corporate Controls. Corporations should disclose commentary on the conclusions and effectiveness of corporate controls and procedures.
Again it is important to understand that the report issued by the SEC is only a document of suggested best practices. There may be situations where disclosure of a cyber-related incident may not be advisable, due to such events like, law enforcement or internal forensic investigations.