This 20-page Mayer Brown memo looks at where cyber disclosures are appearing – and what they’re saying. Samples include:
– Risk Factors: “general” cyber risk disclosures, risks specific to e-commerce, disclosures that cover the intersection of cybersecurity and data privacy, and disclosures about actual or known breaches.
– Description of Business: “general” disclosures, financial services industry, actual or known breaches, and ongoing litigation about breaches.
– MD&A: “general” disclosures, risk management, actual or known breaches, internal controls or material weaknesses from failure to address cyber risks, ongoing litigation about breaches.
The memo suggests ways to improve your required cyber disclosures – including consideration of whether to disclose the costs of managing & combating risks, and how to balance the need to make specific disclosures with the need to safeguard sensitive info.
I blogged a few months ago about the idea of using “risk ratings” to help convey the appropriate level of information. ISS Corporate Solutions has now also announced that it’ll be making its Cyber Risk Scores available on OneTrust Vendorpedia – so these scores might start to get more use.
– Liz Dunshee