October 17, 2011
On October 13, 2011, the staff of the Securities and Exchange Commission ("SEC") released disclosure guidance regarding public company disclosure obligations relating to cybersecurity risks and cyber incidents (the "Disclosure Guidance")."[1] The Disclosure Guidance reviews specific SEC disclosure rules that may require public companies to describe cybersecurity matters and provides SEC staff guidance on what type of disclosure, if any, may be necessary in light of a company’s particular facts and circumstances. The Disclosure Guidance is available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Cybersecurity is only the second topic to be addressed in the Division of Corporation Finance’s new Disclosure Guidance publications.
Background
The Disclosure Guidance follows a May 2011 joint letter from five U.S. senators to SEC Chairman Mary Schapiro requesting that the SEC develop and publish interpretative guidance "clarifying existing disclosure requirements pertaining to information security risk, including material information security breaches involving intellectual property or trade secrets."[2] Chairman Schapiro responded by summarizing specific rules and items that may trigger disclosure requirements under the federal securities laws and noting that she had asked the SEC staff to provide her with a briefing on current disclosure practices and on whether additional guidance is needed.[3] The Disclosure Guidance sets forth the views of the SEC’s Division of Corporation Finance and is not an SEC rule, regulation, or statement.
Overview of the Disclosure Guidance
The SEC staff states at the outset that its Disclosure Guidance in this context is "consistent with the relevant disclosure considerations that arise in connection with any business risk." It notes that the SEC staff is "mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security." In this regard, the SEC staff emphasizes that SEC rules do not require disclosure that itself would compromise a company’s cybersecurity. Instead, it states that companies should "provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence."
The Disclosure Guidance acknowledges that existing SEC disclosure rules do not explicitly reference cybersecurity matters but notes that such disclosures may still be required under existing SEC rules: "material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading." Thus, similar to the SEC’s 2010 Interpretative Release with respect to climate change disclosures[4], the Disclosure Guidance provides the SEC staff’s thoughts on the application of existing SEC disclosure rules to cybersecurity matters. Specifically, the Disclosure Guidance addresses disclosure considerations applicable to both cybersecurity risks and cyber incidents under the following provisions:
1. Risk Factors
2. Management’s Discussion and Analysis of Financial Condition and Results of Operations
3. Description of Business
4. Legal Proceedings
5. Financial Statement Disclosures
6. Disclosure Controls and Procedures
7. Form 8-K
What Companies Should Do Now
In light of the Disclosure Guidance, public companies should:
1. As part of the company’s disclosure controls and procedures, review the existing process for assessing the materiality of cybersecurity matters to the company and determine what (if any) disclosures should be included in their SEC filings with respect to cybersecurity matters. The process should include discussions among the company’s securities law counsel, information technology and security personnel and members of the company’s disclosure committee.
2. Assess the company’s current disclosures and compare them to disclosures by others in the company’s industry. Cybersecurity disclosures are not uncommon: twenty-one Dow 30 companies included discussions of or references to cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures. However, the Disclosure Guidance cautions that such disclosures must be specifically tailored to a company’s particular circumstances.
3. Be prepared in the event of a cyber incident to consider what disclosures may be necessary, including whether a Form 8-K is appropriate. The SEC staff may monitor news reports for cybersecurity incidents, review those companies’ SEC filings and issue comments based on the Disclosure Guidance.
4. Companies should be mindful that additional requirements related to cybersecurity may be forthcoming from the Administration and Congress. In May 2011, the White House presented to the Speaker of the House and the President of the Senate a legislative proposal titled the "Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act" (the "Proposed Critical Infrastructure Act"),[5] that is part of a broad set of proposed legislation that would, among other things, impose new disclosure and certification requirements on "critical infrastructure" entities. For example, the proposed legislation would require a covered company’s CEO to certify (akin to the certifications required by Section 404 of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley")) in annual SEC filings that the company: (1) has developed and is expeditiously implementing a cybersecurity plan compliant with the provisions of the Act; (2) that a cybersecurity evaluation has been completed; and (3) whether such evaluation concluded that the covered critical infrastructure is effectively mitigating identified cybersecurity risks. At least three Congressional committees have held hearings on the White House proposal and other related proposals, and a number of senators have introduced separate cybersecurity legislation of varying types. [6]
[1] For purposes of the Disclosure Guidance "cybersecurity" means "the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access."
[2] Available at http://commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21-92c7-a8e1dd5a707e. Signatories included the Senator John D. Rockefeller IV (D-WV), Chairman of the Commerce, Science, and Transportation Committee.
[3] Available at http://commerce.senate.gov/public/?a=Files.Serve&File_id=abb71f29-9439-45e8-a366-b9d95d8027de. Following the release of the Disclosure Guidance, Senator Rockefeller issued a statement applauding the SEC staff’s action. Available at http://commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id=4acbf0d1-7695-4fd8-be64-b950da8f1372.
[4] See http://www.sec.gov./rules/interp/2010/33-9106.pdf.
[5] The text of the Proposed Critical Infrastructure Act is available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/Cybersecurity-Regulatory-Framework-for-Covered-Critical-Infrastructure-Act.pdf.
[6] For example, Senator Rockefeller has co-sponsored legislation similar to the White House proposal, and Senators Joe Lieberman (I-CT) and Susan Collins (R-ME) have also introduced legislation. On September 22, 2011, three separate bills that would establish a national data breach notification standard were approved by the Senate Judiciary Committee. These include the Personal Data Privacy and Security Act of 2011, sponsored by Senator Patrick Leahy (D-VT), the Data Breach Notification Act of 2011, introduced by Senator Diane Feinstein (D-CA), and the Personal Data Protection and Breach Accountability Act of 2011, sponsored by Senator Richard Blumenthal (D-CT).
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues.
To learn more about the firm’s Securities Regulation and Corporate Governance Practice, please contact the Gibson Dunn attorney with whom you work, or any of the following:
John F. Olson – Washington, D.C. (202-955-8522, jolson@gibsondunn.com)
Brian J. Lane – Washington, D.C. (202-887-3646, blane@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (202-955-8671, rmueller@gibsondunn.com)
Amy L. Goodman – Washington, D.C. (202-955-8653, agoodman@gibsondunn.com)
James J. Moloney – Orange County (949-451-4343, jmoloney@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (202-955-8287, eising@gibsondunn.com)
Gillian McPhee – Washington, D.C. (202-955-8230, gmcphee@gibsondunn.com)
To learn more about the firm’s Information Technology and Data Privacy Practice Group, please contact the Gibson Dunn attorney with whom you work, or any of the following:
Debra Wong Yang – Los Angeles (213-229-7472, dwongyang@gibsondunn.com)
M. Sean Royall – Dallas (214-698-3256, sroyall@gibsondunn.com)
S. Ashlie Beringer – Palo Alto (650-849-5219, aberinger@gibsondunn.com)
Alexander H. Southwell – New York (212-351-3981, asouthwell@gibsondunn.com)
© 2011 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.