TheCorporateCounsel.net

Last week, Gibson Dunn released this survey of annual report cybersecurity disclosures by S&P 100 companies. The report notes that there is significant variation among the disclosures — at least partially reflecting necessary variability due to differences in company size & complexity, nature & scope of activities, industry, regulation, sensitivity of data and risk profile. Since disclosure in this area requires a special balancing act of providing investors decision-useful information and not revealing sensitive data that could be exploited, the Gibson Dunn team expects these disclosures will continue to change with the evolving cyber threat landscape and as disclosure practices converge.

To that end, the data in the report may be useful to consider as you decide whether and how to ‘tune-up’ your 10-K cyber disclosures for your next annual report filing. Here is the executive overview from the report describing the key disclosure trends:

– Materiality. The phrasing used by companies for this disclosure requirement varies widely.  Specifically, in response to the requirement to describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company, the largest group of companies (40%) include disclosure in Item 1C largely tracking Item 106(b)(2) language (at times, subject to various qualifiers); 38% vary their disclosure from the Item 106(b)(2) requirement in how they address the forward-looking risks; and 22% of companies do not include disclosure specifically responsive to Item 106(b)(2) directly in Item 1C, although a substantial majority of these companies cross-reference to a discussion in Item 1A “Risk Factors.”

– Board Oversight. Most companies delegate specific responsibility for cybersecurity risk oversight to a board committee and describe the process by which such committee is informed about such risks.  Ultimately, however, the majority of surveyed companies report that the full board is responsible for enterprise-wide risk oversight, which includes cybersecurity.

– Cybersecurity Program. Companies commonly reference their program alignment with one or more external frameworks or standards, with the National Institute of Standards and Technology (NIST) Cybersecurity Framework being cited most often.  Companies also frequently discuss specific administrative and technical components of their cybersecurity programs, as well as their high-level approach to responding to cybersecurity incidents.

– Assessors, Consultants, Auditors or Other Third Parties. As required by Item 106(b)(1)(ii), nearly all companies discuss retention of assessors, consultants, auditors or other third parties, as part of their processes for oversight, identification, and management of material risks from cybersecurity threats.

– Risks Associated with Third-Party Service Providers and Vendors. In line with the requirements of Item 106(b)(1)(iii), all companies outline processes for overseeing risks associated with third-party service providers and vendors.

– Drafting Considerations. Most companies organize their disclosure into two sections, generally tracking the organization of Item 106, with one section dedicated to cybersecurity risk management and strategy and another section focused on cybersecurity governance. Companies typically include disclosures responsive to the requirement to address material impacts of cybersecurity risks, threats, and incidents in the section on risk management and strategy.

The average length of disclosure among surveyed companies is 980 words, with the shortest disclosure at 368 words and the longest disclosure at 2,023 words. The average disclosure runs about a page and a half.

And don’t forget to take a look at your disclosures outside of Item 106 of Reg. S-K. The SEC enforcement actions targeting cybersecurity disclosures in the wake of an incident are continuing to roll in — with a new cease-and-desist order posted just this week focused on allegations of misleading hypothetical risk factor disclosure and omissions of material information (for example, failing to include that the accessed customer data included customer PII).

– Meredith Ervine