GUEST BLOG: New SEC disclosure guidance about cyber security risks

28 October 2011 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel


I welcome Jim Brashear as a Guest Blogger with his blog concerning cyber security risks. Jim is Vice President, General Counsel and Corporate Secretary of Nasdaq-traded Zix Corporation, the market leader in email encryption services. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. You may want to follow him on Twitter. I’m sure we will see more Guest Blogs from him in the future. 

New SEC disclosure guidance about cyber security risks

The SEC recently issued new disclosure guidance about cyber security risks. In summary, the SEC is directing public companies to review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents. The disclosure guidance does not create new standards, but reminds public companies of existing disclosure requirements that may apply to cyber security risks and cyber incidents.

The bottom line is that this guidance should cause public companies, including their senior management and boards of directors, to give more attention to assessing cyber security as part of their enterprise risk assessments, because a discussion of cyber security risks and cyber incidents may become expected in public company financial disclosure. It should also prompt public companies to include these issues in their disclosure controls processes.

The SEC provides more specific guidance about disclosure in six areas of public company financial reports: Risk Factors, Management’s Discussion and Analysis (MD&A), Business Description, Legal Proceedings, Financial Statement Disclosure, and Disclosure Controls and Procedures.

On the latter point, public companies will need to assess and disclose conclusions about the impact of cyber security risks and cyber security incidents on the effectiveness of the organization’s controls over financial disclosure, including whether there are any deficiencies that would render those controls ineffective. Additionally, public companies should supplement their disclosure controls checklists, so that their disclosure controls processes will include consideration of possible disclosure about cyber risks and cyber incidents.

Companies are not required to disclose any or all of the issues that are identified for consideration and discussion by their disclosure controls committees. In fact, the SEC recognizes that detailed disclosures of these issues could increase the cyber risks. The organization may have concerns about what personnel can be involved in IT security discussions or receive any report about those issues, based on individual security clearances, etc. The process might, therefore, require that those discussions occur in a smaller group.

The list of questions below is intended to (a) prompt a discussion in the disclosure committee of any meaningful changes in the company’s cyber risk profile and whether additional disclosure (or other action) is warranted, and (b) create a written record that management thoughtfully considered the principal data security and privacy risks facing the company in order to determine whether additional disclosure (or other action) is warranted.

1.         Any significant change to the nature or level of cyber security risks facing the company or affecting the company’s services to customers [such as any meaningful increase in actual or threatened penetration attempts, spear phishing or other advanced persistent threats (APT), or denial of service (DOS) attacks]

2.         Any significant cyber incident [such as malware embedded in any company system which may have exposed or compromised any of the company’s confidential or proprietary information, or the transmission or other exposure via the internet of unencrypted personal information of any customer, employee or other individual]

3.         Any significant cyber security risk deficiency that was identified in any review or audit of the company’s information security or data privacy practices

4.         Any significant change to the company’s expenses or capital costs of mitigating cyber security risks, such as an increase in cyber risk insurance premiums or services purchased to avoid system penetration

5.         Any significant change in the company’s ability to promptly respond to, and promptly resume operations after, a cyber incident or damage or loss of power to the company’s principal data center or any other systems important to maintaining operations

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.


Related Services