TheCorporateCounsel.net

For those looking for some inspiration when drafting their new cybersecurity disclosure for upcoming Form 10-K filings, our latest issue of The Corporate Executive includes an annotated sample of the disclosure that is meant as a guide, rather than as a form that would readily apply to any company.

One of the more challenging aspects of the new disclosure requirements is Item 106(c)(2) of Regulation S-K and Item 16K(c)(2) of Form 20-F, which provide that when describing management’s role in assessing and managing the company’s material risks from cybersecurity threats, a company should address whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. For this purpose, the SEC indicates that relevant expertise of management may include, for example, prior work experience in cybersecurity, any relevant degrees or certifications, and any knowledge, skills or other background in cybersecurity.

We do not interpret this disclosure item to require the level of detailed background information required for executive officers and directors under Item 401 of Regulation S-K. Rather, the item contemplates specific disclosure about the relevant expertise that individuals (such as the Chief Information Security Officer or members of a management cybersecurity committee) have in assessing and managing risks from cybersecurity threats. For example, in our annotated sample disclosure, we state:

The CISO has served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Security Officer of two large public companies. The CISO holds undergraduate and graduate degrees in computer science and has attained the professional certification of Certified Chief Information Security Officer. The CTO holds an undergraduate degree in computer science and a master’s degree in business administration, and has served in various roles in information technology for over 30 years, including serving as either the Chief Technology Officer or Chief Information Officer of four public companies. The Company’s CEO, CFO and CLO each hold undergraduate and graduate degrees in their respective fields, and each have over 25 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.

On the topic of professional certifications that might be disclosed in this context, we note that examples of professional certifications in cybersecurity include Certified Chief Information Security Officer, Certified Information Systems Security Professional or Certified Information Systems Security Manager.

As I mentioned yesterday, it is important to remember that there is often an iterative process around the establishment of new disclosure requirements, in that we make an attempt to comply with the new disclosure requirement in the first year, and then we adjust the disclosure approach going forward as we observe what other companies disclose and consider any Staff guidance or comments on the new disclosure. This cybersecurity expertise disclosure is therefore likely to evolve through time.

If you do not have access to all of the practical guidance in The Corporate Executive, subscribe today!

– Dave Lynn