August 24, 2012

The State of Cybersecurity Disclosure: Is Congressional Action Next?

It is now going on a year since the SEC issued CF Disclosure Guidance: Topic No. 2, Cybersecurity, and since that time I have been interested in seeing how the Staff has followed up on the guidance in the course of the 10-K review process. It turns out that much like after the Commission issued its interpretive release on climate change disclosures back in 2010, there hasn’t been a huge uptick in the number of comments directed at the topic. The Staff has said that the main focus of comments in this area has been on situations where there has been some reported breach, and the Staff is thus particularly interested in seeing specific disclosure about that breach and the related risk or MD&A disclosure. Given this focus, there have not been many instances that I have come across where the Staff is just fishing for cybersecurity disclosures, or commenting specifically on the sometimes vague or generalized risk factors that many issuers have now added.

It seems that perhaps Congress isn’t too satisfied with the SEC’ cybersecurity disclosure efforts, because a provision in the cybersecurity bill that stalled in Congress before the August recess addresses the SEC’s guidance and implementation efforts in a “sense of Congress” statement. Notably, Section 415 of S. 3414 observes that information security risks and related events that are material to investors should be disclosed, and to this end the SEC (not later than 1 year from enactment) should evaluate existing guidance, including CF Disclosure Guidance: Topic No. 2, to determine whether the guidance should be updated or issued as an interpretive release. Under the Senate bill, the SEC would also have to provide an annual report to Congress describing the types of security risks and related events disclosed by issuers in the prior year, whether the Staff required additional information of issuers, any awareness efforts undertaken by the SEC , and any enforcement actions relating to disclosure requirements for information security risks.

Could a new “Form CS” be too far behind?

Digging into Form SD

It is not too often that a new Exchange Act form comes along, so the first thing I turned to in the conflict minerals and payments by resource extraction issuers adopting releases was the Form SD appearing at the back. Because the SEC adopted the rules in two separate releases, you have to look at both to get the full picture of Form SD, because it is pulling double duty for both conflict mineral disclosure and disclosure of payments by resource extraction issuers (technically, the conflict minerals release adopted Form SD and then the other release amended it). Here are some of my own questions and answers about Form SD:

Does the Form SD reference Regulation S-K?
No, the SEC opted to have all of the disclosure requirements resident in Form SD itself, rather than adopting separate Regulation S-K items or amending Item 601 of Regulation S-K with respect to the exhibits. In this regard, Form SD is similar to Form 8-K, which for the most part includes the disclosure requirements directly in the items of the form.

Who signs Form SD?
General Instruction F to Form SD provides that the report “must be signed by the registrant on behalf of the registrant by an executive officer.” The form is not specific as to which executive officer must sign.

What exhibits are required with Form SD?
A Conflict Minerals Report (if required) and a Resource Extraction Issuer Disclosure Report are required to be filed with Form SD.

Are certifications required with the Form SD?
No certifications are required to be filed with Form SD.

What if the deadline for Form SD falls on a Saturday, Sunday or holiday on which the SEC is not open for business?
General Instruction B.2. of Form SD provides that, in this situation, the deadline for the form will be the next business day.

Does the Form SD have to filed on EDGAR?
Yes, and the Resource Extraction Issuer Disclosure Report must be tagged using XBRL.

Is the Form SD deemed “furnished” or “filed”?
The Form SD is deemed “filed.”

What if the DC Circuit vacates either the conflict minerals rules or the payments by resource extraction issuers rules, would Form SD still be valid?
Both releases include the language: “If any provision of these rules, or the application thereof to any person or circumstance, is held to be invalid, such invalidity shall not affect other provisions or application of such provisions to other persons or circumstances that can be given effect without the invalid provision or application. Moreover, if any portion of Form SD not related to resource extraction disclosure is held invalid, such invalidity shall not affect the use of the form for purposes of disclosure pursuant to [Section 13(q) or Section 13(p)].”

The Second Deal Cube Tourney: Round One; 8th Match

As noted in these rules (and keep sending more pics for the next tourney), please vote for two of the following four cubes below:

Large Ocean Ship
Pillsbury Dough Boy
Pink Shopping Bag
House Shaped w/ Old Car & Offshore Drilling Rig

Online Surveys & Market Research

– Dave Lynn