SEC Advises Net Breach Notification

Companies should consider cybersecurity when deciding what information is material to stockholders

Publicly traded cable and broadcast companies should
be on notice that they may need to inform their stockholders
of online security breaches, or risk running
afoul of government regulators.

Securities and Exchange Commission staffers have
advised public companies that they need to consider
cybersecurity when deciding what information is material
to their stockholders. This comes in response to queries
from various companies and follows a request for clarification from a powerful Senator, Jay Rockefeller (D-W. Va.).

In an advisory released Oct. 13, staffers in the SEC’s
division of corporate finance pointed out that cyber attacks
can cost big bucks in lost revenue and litigation
fees and have other negative consequences, such as
damage to a company’s reputation that could greatly
affect investor confi dence.

SEC laws require that companies disclose information
about “risks and events” that a reasonable investor
would consider important to know. At present,
the advisory does not mandate the disclosure of any
cybersecurity information, and it is not a new rule
or a statement of official commission policy. Given,
however, that the SEC disclosure rules are fairly broad,
the advice can be viewed as merely a signal that in
a digital world, where broadband is the new engine
of commerce and communications, companies will
likely be expected to include incidents and threats in
disclosure forms.

That was certainly Rockefeller’s take on the matter.
“This guidance fundamentally changes the way companies
will address cybersecurity in the 21st century,”
the senator said in response to the release of the
guidelines. Rockefeller had asked the commission to
clarify corporate disclosure requirements for cybersecurity

It did not go that far, since the commission has not
officially endorsed the advisory. “It does not create any
new requirements of modifying existing requirements.
It is just providing advice on how to consider cyber-security
issues,” said an SEC representative. That came
after companies, accountants and lawyers all had
sought guidance on how they should treat cybersecurity
in such disclosures, according to the SEC staffers.

A commission source pointed out that such advisories
are not routinely converted to mandates; there
is, however, precedent, including some Y2K advisories
that were eventually adopted as SEC rules.

Congress is independently considering legislation
that would institute data-breach and cyberattack
reporting requirements.

The following are the current risk disclosure obligations
that may require inclusion of cybersecurity risks and incidents, according to
the advisory.

Risk Factors: "Registrants should disclose the
risk of cyber incidents if these issues are among the most significant factors
that make an investment in the company speculative or risky."

Discussion/Analysis of Financial Condition:
"Registrants should address cybersecurity risks and cyber incidents...if the
costs or other consequences associated with one or more known incidents, or the
risk of potential incidents, represent a material event, trend or uncertainty
that is reasonably likely to have a material effect on the registrant's results
of operations, liquidity or financial condition, or would cause reported
financial information not to be necessarily indicative of future operating
results or financial condition."

Description of Business: "If one or more cyber incidents
materially affect a registrant's products, services, relationships with
customers or suppliers, or competitive conditions, the registrant should
provide disclosure in the registrant's 'Description of Business.'"

Legal Proceedings: "If a material pending legal
proceeding to which a registrant or any of its subsidiaries is a party involves
a cyber incident, the registrant may need to disclose information regarding
this litigation in its ‘Legal Proceedings' disclosure."

Financial Statement Disclosures: "Cybersecurity
risks and cyber incidents may have a broad impact on a registrant's financial
statements, depending on the nature and severity of the potential or actual