Capital Markets Alert: SEC Division of Corporation Finance Staff Issues Further Disclosure Guidance on Cybersecurity
10/28/2011
The staff of the Security and Exchange Commission’s (“SEC”) Division of Corporation Finance has provided additional advice about potential reporting problems via the issuance of Corporation Finance (“CF”) Disclosure Guidance: Topic No. 2, Cybersecurity (“CF Topic 2”).
CF Topic 2, which was issued on October 13, 2011, is the second of two guides issued by the SEC and deals with potential reporting problems for all registrants related to their disclosure obligations under Federal securities laws, including security risks arising from the use of digital technologies and the increasing number of cyber attacks aimed at usurping their assets and/or disrupting their operations. The guidance does not represent rules promulgated by the Commissioner. However, it does reflect the views of the staff members who are going to be reviewing filings by registrants. The first guide, issued in September 2011, dealt with matters related to compliance with Form 8-K disclosure requirements the staff would likely look for in reviews of filings related to reverse mergers.
CF Topic 2 states that: “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”
The staff provides an overview of specific disclosure obligations that may need to be addressed including risk factors; management’s discussion and analysis; description of business; legal proceedings; financial statement disclosures; and disclosure controls and procedures.
CF Topic 2 includes the following reminder about disclosure controls and procedures: “Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.”
While the staff emphasizes the need to make appropriate disclosures to enhance the evaluation of cybersecurity risks, it also emphasizes that disclosures “providing a “roadmap” for those who seek to infiltrate a registrant’s network security … are not required under the federal securities laws.”
Click here to review CF Disclosure Guidance: Top No. 2 Cybersecurity. We urge you to review it and discuss the issues raised with your legal counsel and other professionals.
For more information about this or other SEC-related guidance, please contact your J.H. Cohn engagement partner at 877-704-3500.