SEC Provides Disclosure Guidance On Cybersecurity


On October 13, 2011, the Division of Corporation Finance (the "Division") of the Securities and Exchange Commission (SEC) issued informal guidance regarding the disclosure by public companies of cybersecurity risks and cyber incidents.1

While the use of computer networks has increased the efficiency of business operations, it also exposes companies to cyber attacks that may result in the theft of company assets or sensitive information about the company, its customers and other business partners. Cyber attacks may cause a company to not only incur substantial costs (e.g., remediation costs, litigation costs and costs to increase security) but also to suffer loss of revenue and reputational damage. In issuing its guidance, the Division recognized that with the "increasing dependence on digital technologies," there has been an increased focus on "how [cybersecurity] risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws."

For example, in April 2011, Epsilon, a marketing services firm that manages e-mail lists for major retailers and banks, reported an unauthorized entry into its email system which compromised a subset of customer email addresses and names. News outlets reported that the list of companies affected included a wide variety of S&P companies. Although the Epsilon incident occurred prior to the issuance of the Division's new guidance, Epsilon's parent company, Alliance Data Systems Corporation ("Alliance"), reported information regarding the cyber incident in several Form 8-K filings with the SEC.2 Furthermore, Alliance received a comment letter from the SEC requesting disclosure of the Epsilon incident,3 and Alliance included such disclosure in its Form 10-Q for the quarter ended March 31, 2011.4

While the Division acknowledges that the SEC's existing disclosure requirements do not explicitly refer to cybersecurity risks and cyber incidents, the Division's guidance includes a reminder that one of the purposes of the federal securities laws is to "elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision." The Division's guidance highlights the following areas in disclosure documents that may require a discussion of cybersecurity risks and cyber incidents:

In Risk Factors, if the risk of cyber incidents...

To continue reading