October 22, 2021
Cybersecurity Awareness Month – Is Your Cybersecurity Disclosure in Good Shape?
It is my favorite time of year – the leaves are changing colors, there is a slight chill in the air, and my thoughts inevitably turn to – cybersecurity? October is Cybersecurity Awareness Month, which has apparently been a thing since 2004. The overarching theme for Cybersecurity Awareness Month 2021 is “Do Your Part. #BeCyberSmart.”
I think the focus on cybersecurity awareness makes it a great time to take a close look at your cybersecurity disclosure practices. As this MoFo memo notes, the SEC certainly does not need the month of October to be made aware of cybersecurity matters, given that the Division of Enforcement has focused its attention in recent months on “the efficacy of cybersecurity disclosure controls and procedures, especially where sensitive personally identifiable information (PII) is compromised without appropriate remediation, escalation, and disclosure.” With the annual reporting season fast approaching, October is a great time to take a step back and look at both your disclosure controls and procedures and your overall disclosure profile when it comes to cybersecurity.
On the disclosure controls and procedures front, the MoFo memo suggests the following key features of effective cybersecurity controls and procedures:
- Set forth steps to identify and investigate cybersecurity incidents;
- Assess and analyze the impact of the incident on the company’s business and customers;
- Ensure careful analysis of whether the cybersecurity incident is material, giving rise to disclosure obligations;
- Refer potentially material cybersecurity incidents to appropriate committees, including the disclosure committee, for assessment and analysis;
- Ensure that material cybersecurity incidents are reported to senior management and to the board of directors;
- Ensure that material cybersecurity incidents are disclosed to investors and that existing disclosures are reviewed and, if necessary, updated if new facts render them incorrect or misleading;
- Prescribe steps and deadlines to remediate incidents based on severity;
- Address circumstances under which trading restrictions should be imposed on company personnel who are in possession of material non-public information (MNPI) regarding the incident; and
- Provide for the issuance of a document preservation or litigation hold for material incidents or other incidents where the company anticipates litigation.
I think that it is also an opportune time between now and Halloween to review the cybersecurity disclosures in your SEC filings, particularly your cybersecurity risk factor disclosure. Some of the persistent areas of Staff focus through the comment letter process have been as follows:
Unbundling the Cybersecurity Risk. The Staff has often asked that a company break out cybersecurity risks into a separate risk factor, rather than including the risk in one risk factor that addresses a variety of other concerns that the issuer faces.
Addressing the Key Elements. The cybersecurity risk factor should address the types of cybersecurity threats that the company faces, and the extent to which the company has been impacted in a material way by actual breaches or other incidents. The cybersecurity risk factor should also address the risk that cyber incidents may go undetected for a long period of time, which could result in significant consequences. You should address preventative measures that have been established for the purpose of addressing cyber risks, and the risk that such measures may not be effective to avoid an incident. Risks are often raised by third-party access to the issuer’s IT systems, so the risk factor disclosure should address the extent to which access by vendors, outsourcing partiers or others might expose the issuer to a cyber attack. Risk factor disclosure should also address when an issuer has insurance coverage for cyber incidents, and the extent to which costs of a cyber attack could exceed that insurance coverage. The risk factor disclosure should highlight the actual and/or potential consequences of a cyber attack, which could include things like reputational harm, costs to remediate the impact of the attack, and costs for implementing protective measures.
Putting the Risk in Context. One frequent Staff comment asks that an issuer address in the risk factor actual or attempted cyber attacks, so that the reader can understand the risks as they apply in the context of the issuer’s business.
Avoiding Hypothetical Risk Factor Disclosure. With all of the warnings from the SEC and the Staff, it is now more important than ever to monitor all of the cybersecurity incidents that the company faces, so that you can accurately describe the cybersecurity threat in the risk factor without implying that the risks are only hypothetical. A good example of an emerging threat is the recent SolarWinds breach, which exposed companies to a potential threat through a “supply chain” attack, where the malicious software was inserted into the company’s patch prior to being distributed to customers.
As the SEC considers rulemaking in this area, companies should also consider the extent to which investors continue to look for the cybersecurity topic to be addressed from a governance perspective. We continue to see the evolution of disclosure in the proxy statement that addresses the extent to which the board and its committees oversee cybersecurity risks.
– Dave Lynn