Cybersecurity risk is again in the news. It seems like each cybersecurity incident is bigger and scarier than the breaches before. Clearly, the financial, reputational and other costs associated with these crimes are growing. Perhaps more importantly the efforts and costs associated with the prevention of these events are becoming more significant.
As we approach year end giving appropriate thought to cybersecurity disclosures will be an important discussion for most companies. As a reminder, the SEC’s existing guidance for cybersecurity disclosures is in Corp Fin’s Disclosure Guidance Topic 2, which you can find at:
The drive for more substantive disclosure, including information about the actual costs of cybersecurity breaches to a specific company and cybersecurity prevention costs are themes in the Corp Fin guidance, and these comments help emphasize the important issues in disclosures about cybersecurity risks.
In this comment the staff reminds the registrant about Disclosure Guidance Topic 2:
Technology security risks and environmental and pollution risks could potentially impact our financial results, page 11
6. It appears that this risk factor addresses two separate risks: (1) technology security risks and (2) environmental risks. In future filings, please revise your risk factor disclosure to address these risks under separate headings. Also, with respect to the technology security risks, to the extent that these risks may relate to cybersecurity threats, in future filings please clarify your disclosure accordingly as well as consider the Division of Corporation Finance’s Disclosure Guidance Topic No 2, which is available on our website at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.
Notice the focus on qualitative and quantitative disclosure in this comment:
3. Your risk factor disclosure should provide sufficient qualitative and quantitative disclosure to enable a reader to assess the impact that these risks may have on your results of operations. In this regard, we note the following:
Your risk factor “Our business could be adversely affected by incidents…” on page 9 does not provide sufficient qualitative disclosure for one to understand which aspects of your business operations may expose you to these risks nor does it identify the actual risks or provide examples of past system failures or accidents;
Your risk factor “Technology security risks and environmental and pollution risks could potentially impact our financial results” on page 11 does not specify to what “certain information and technology security risks” you may be exposed.
This comment shows how details should be included to help readers understand the nature and magnitude of the risk:
Our business could be negatively impacted by security threats, including cybersecurity threats…
31. We note your disclosure that an unauthorized party was able to gain access to your computer network “in a prior fiscal year.” So that an investor is better able to understand the materiality of this cybersecurity incident, please revise your disclosure to identify when the cyber incident occurred and describe any material costs or consequences to you as a result of the incident. Please also further describe your cyber security insurance policy, including any material limits on coverage.
And this comment emphasizes the need for MD&A discussion if related costs are material:
Item 1A. Risk Factors “Security breaches and other disruptions or misuse of our network and information systems could affect our ability to conduct our business effectively,” page 12
1. We note your disclosure that during 2012 the ******* computer network was the target of a cyber-attack that you believe was sponsored by a foreign government, designed to interfere with your journalism and undermine your reporting. We also note your disclosure that you have implemented controls and taken other preventative actions to further strengthen your systems against future attacks. If the amount of the increased expenditures in cybersecurity protection measures was or is expected to be material to your financial statements, please revise your discussion in MD&A to discuss these increased expenditures. Also, if material, please revise the notes to your financial statements to disclose how you are accounting for these expenditures, including the capitalization of any costs related to internal use software.
Hope all this helps, and as usual your comments and thoughts are welcome!