SEC Advises Net Breach Notification

Companies should consider cybersecurity when deciding what information is material to stockholders

Publicly traded cable and broadcast companies should be on notice that they may need to inform their stockholders of online security breaches, or risk running afoul of government regulators.

Securities and Exchange Commission staffers have advised public companies that they need to consider cybersecurity when deciding what information is material to their stockholders. This comes in response to queries from various companies and follows a request for clarification from a powerful Senator, Jay Rockefeller (D-W. Va.).

In an advisory released Oct. 13, staffers in the SEC’s division of corporate finance pointed out that cyber attacks can cost big bucks in lost revenue and litigation fees and have other negative consequences, such as damage to a company’s reputation that could greatly affect investor confi dence.

SEC laws require that companies disclose information about “risks and events” that a reasonable investor would consider important to know. At present, the advisory does not mandate the disclosure of any cybersecurity information, and it is not a new rule or a statement of official commission policy. Given, however, that the SEC disclosure rules are fairly broad, the advice can be viewed as merely a signal that in a digital world, where broadband is the new engine of commerce and communications, companies will likely be expected to include incidents and threats in disclosure forms.

That was certainly Rockefeller’s take on the matter. “This guidance fundamentally changes the way companies will address cybersecurity in the 21st century,” the senator said in response to the release of the guidelines. Rockefeller had asked the commission to clarify corporate disclosure requirements for cybersecurity breaches.

It did not go that far, since the commission has not officially endorsed the advisory. “It does not create any new requirements of modifying existing requirements. It is just providing advice on how to consider cyber-security issues,” said an SEC representative. That came after companies, accountants and lawyers all had sought guidance on how they should treat cybersecurity in such disclosures, according to the SEC staffers.

A commission source pointed out that such advisories are not routinely converted to mandates; there is, however, precedent, including some Y2K advisories that were eventually adopted as SEC rules.

Congress is independently considering legislation that would institute data-breach and cyberattack reporting requirements.

The following are the current risk disclosure obligations that may require inclusion of cybersecurity risks and incidents, according to the advisory.

Risk Factors: "Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky."

Discussion/Analysis of Financial Condition: "Registrants should address cybersecurity risks and cyber incidents...if the costs or other consequences associated with one or more known incidents, or the risk of potential incidents, represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity or financial condition, or would cause reported financial information not to be necessarily indicative of future operating results or financial condition."

Description of Business: "If one or more cyber incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's 'Description of Business.'"

Legal Proceedings: "If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its ‘Legal Proceedings' disclosure."

Financial Statement Disclosures: "Cybersecurity risks and cyber incidents may have a broad impact on a registrant's financial statements, depending on the nature and severity of the potential or actual incident."