With all of the focus on the SEC’s new cybersecurity disclosure rules, it is easy to lose sight of existing expectations for cybersecurity disclosure. Risk factor disclosure has been carrying a lot of the weight on the topic of cybersecurity to date, and as Cybersecurity Awareness Month reminds us, there is little hope that cybersecurity risks will be abating anytime soon.
As we note in the most recent issue of The Corporate Executive, it is always a good time for a cybersecurity risk factor tune-up. Some of the key things to keep in mind are:
1. Cybersecurity risks are among of the most existential risks that any public company faces, so the cybersecurity risk factor should reflect that reality. It should stand alone as its own risk factor, rather than being lumped in with a description of other risks that the company faces.
2. Avoid the hypothetical risk factor trap! Over the years, we have spilled a lot of ink describing the SEC’s concerns with cybersecurity risk factors being too hypothetical, i.e., when they describe the potential risks from cybersecurity but do not make clear that the company is under attack all of the time. In this regard, context is everything, so make sure that the risk factor accurately describes the company’s actual threat environment.
3. Your risk factor can describe preventative measures the company has taken and whether you have insurance, but be sure to clearly indicate that any such measures may not be sufficient to prevent, mitigate or offset the cost of a cybersecurity incident.
4. As demonstrated by the SEC’s new cybersecurity risk management, strategy and governance disclosure rules, there is an ever-present concern about the risks presented by third party access to company systems, and it is therefore important today to address those risks in the risk factor disclosure.
5. Carefully consider what consequences you face (or have faced) from a cybersecurity incident and articulate those consequences in the risk factor disclosure. Participating in table-top exercises and delving into the company’s incident response plans are great ways to develop the information necessary to accurately describe the potential outcomes from a cybersecurity incident.
Finally, I encourage you to consider the placement of your cybersecurity risk factor in the risk factors section. Is the risk factor buried in the back of the risk factors section, and should it be more prominent in the front of that section given the magnitude of the risk?
– Dave Lynn