🔍
SEC Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures - YouTube
Channel: LawCast
[2]
I’m attorney Laura Anthony founding partner
of Legal & Compliance, a full service corporate,
[15]
securities, and business transactions law
firm.
[18]
Today is the final LawCast in a series talking
about the new SEC guidance on cybersecurity
[25]
disclosure.
[26]
On February 20, 2018, the SEC issued new,
interpretive guidance on public company disclosures
[33]
related to cybersecurity risks and incidents.
[36]
Today I am completing my discussion on specific
areas of disclosure guidelines.
[42]
Disclosure of cyber-related matters may be
required in a company’s business description
[47]
where they affect a company’s products,
services, relationships with customers and
[52]
suppliers or competitive conditions.
[55]
Likewise, material litigation would need to
be included in the “legal proceedings”
[60]
section of a periodic report or registration
statement.
[63]
The litigation disclosure should include any
proceedings that relate to cybersecurity issues.
[70]
Cyber-matters may need to be included in a
company’s financial statements prior to,
[75]
during and/or after an incident.
[79]
Costs to prevent cyber-incidents are generally
capitalized and included on the balance sheet
[83]
as an asset.
[85]
GAAP provides for specific recognition, measurement
and classification treatment for the payment
[91]
of incentives to customers or business relations,
including after a cyber-attack.
[98]
Cyber-incidents can also result in direct
losses or the necessity to account for loss
[103]
contingencies, including those related to
warranties, direct loss of revenue, providing
[108]
customers with incentives, breach of contract,
product recall and replacement, indemnification
[115]
or remediation.
[118]
Incidents can result in loss of, and therefore
accounting impairment to, goodwill, intangible
[123]
assets, trademarks, patents, capitalized software
and even inventory.
[130]
Financial statement disclosure may also include
expenses related to investigation, breach
[135]
notification, remediation and litigation,
including the costs of legal and other professional
[140]
service providers related to a cyber incident
or a risk of cyber incident.
[146]
A company must disclose the extent of its
board of directors’ role in the risk oversight
[151]
of the company, such as how the board administers
its oversight function and the effect this
[157]
has on the board’s leadership structure.
[159]
To the extent cybersecurity risks are material
to a company’s business, this discussion
[164]
should include the nature of the board’s
role in overseeing the management of that
[169]
risk.
[170]
Information should also be included on how
the board engages with management on cybersecurity
[174]
risk management.
[176]
Some would advocate that they also add that
that disclosure is also included on the background
[182]
and role of management and their responsibilities
related to cyber matters themselves.
[189]
The new guidance clearly provides that companies
should adopt comprehensive policies and procedures
[195]
related to cybersecurity and to assess their
compliance regularly, including policy/procedure
[201]
compliance related to the sufficiency of disclosure
controls and procedures.
[206]
Procedures must address a company’s ability
to record, process, summarize and report financial
[211]
and other information in SEC filings.
[215]
Additionally, any deficiency in these controls
and procedures would also be reported.
[221]
The SEC reminds companies that their principal
executive officer and principal financial
[225]
officer must make individual certifications
regarding the design and effectiveness of
[231]
disclosure controls and procedures.
[233]
These certifications should take into account
cybersecurity-related controls and procedures.
[239]
Furthermore, as discussed in this LawCast
series, a company should have proper policies
[244]
and procedures preventing officers, directors
and other insiders from trading on material
[251]
nonpublic information related to cybersecurity
risks and incidences.
[256]
Companies may have disclosure obligations
under Regulation FD, or “Regulation Fair
[261]
Disclosure,” related to cybersecurity matters.
[264]
Under Regulation FD, “when an issuer, or
person acting on its behalf, discloses material
[271]
nonpublic information to certain enumerated
persons it must make public disclosure of
[276]
that information.”
[278]
The SEC reminds companies that these requirements
also relate to cybersecurity matters and that,
[283]
along with all the other disclosure requirements,
policies and procedures should specifically
[289]
address any disclosure of material non-public
information related to cybersecurity.
[294]
I’m securities attorney Laura Anthony, founding
partner of Legal & Compliance, and producer
[299]
of LawCast.
[301]
Should you have any questions about today’s
topic, please visit SecuritiesLawBlog.com
[306]
and LawCast.com, or contact me directly.
[310]
Inquiries of a technical nature are always
encouraged.
Most Recent Videos:
You can go back to the homepage right here: Homepage