• SEC Releases New Guidance on Cybersecurity Disclosure
  • December 27, 2011
  • Law Firm: Harter Secrest Emery LLP - Rochester Office
  • Recently the Securities and Exchange Commission (the “SEC”) released guidance discussing the disclosure obligations public companies have under federal securities laws regarding cybersecurity risks and cyber incidents. As companies become increasingly dependent on the use of digital technologies, the risk and damage caused by cyber attacks have increased. A company that falls victim to a cyber attack can find itself facing negative consequences, including the costs associated with an attempt to mitigate the damages resulting from the incident, losses from asserted and unasserted claims (including breach of warranty, breach of contract and costs associated with product recalls), diminished future cash flows, litigation costs, and reputational damage. Large companies such as Citigroup, Sony, Google and Lockheed Martin have recently had to cope with these issues after falling victim to cyber attacks that received significant media attention. The SEC, through its release, attempts to provide guidance to public companies regarding their disclosure obligations under federal securities laws in light of such risks or circumstances. The SEC’s guidance does not modify or add to any of the SEC’s current disclosure requirements. Instead, the SEC discusses how public companies should describe cybersecurity matters and their potential impacts within the existing disclosure framework, and in particular, as cybersecurity matters relate to disclosure regarding risk factors, management’s discussion and analysis (“MD&A”), description of the business, legal proceedings, and disclosure controls and procedures. The full SEC guidance can be found at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.