Recently, the U.S. Securities and Exchange Commission issued some guidance for when publicly listed companies must disclose hacking incidents or other breaches of their cyber security to investors. See SEC Release here. The SEC said that if there is a breach of cyber security that leads to losses, then companies should “provide certain disclosures of losses that are at least reasonably possible.” The link on the SEC website to the SEC Guidelines is available here.
The SEC noted that companies may need to disclose known or threatened cyber incidents to put the discussion of cyber security risks in context. For example, if a company experienced a material cyber attack in which customer data was compromised, it likely would not be sufficient for the company to disclose that there is a risk that such an attack may occur. Instead, the company “may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”
The SEC said that companies need to address cyber security risks and cyber incidents in their Management Discussion and Analysis of Financial Condition and Results of Operations sections “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” If it is reasonably likely that the attack will lead to reduced revenues, an increase in cyber security protection costs, including related to litigation, the company is required to discuss the possible outcomes, including the amount and duration of the expected costs, if material. Alternatively, if the attack did not result in the loss but it prompted the company to materially increase its cyber security protection expenditures, the company should discuss those increased expenditures.
This summary was prepared by Kevin F. Brady of Connolly Bove Lodge & Hutz LLP.