By: George M. Wilson, SEC Institute
Cybersecurity risk is an important “hot topic” in period-end reporting. In our workshops we sometimes find that many people are not aware that the SEC has issued guidance about cybersecurity disclosures.
As a period-end reporting reminder, don’t forget to review CorpFin Disclosure Guidance Topic 2 as you address cybersecurity risk. The SEC, both at the staff and Commission level, have recently reiterated that they believe this guidance from 2011 is on-point for disclosure in the current environment. There have been some discussions about whether to move this from a CorpFin document to a more official Commission Release, but there has been no formal activity to date.
As you read the Disclosure Guidance Topic you will see it suggests that you should tailor information to your circumstances. Disclosure in Risk Factors (likely applicable for almost all companies!) is one issue, but disclosure may also be relevant in the Description of the Business, Legal Proceedings, MD&A and the Financials Statements.
Another reminder, Chairman Clayton’s remarks about cybersecurity risk also provide valuable insight into making appropriate disclosures in this complex area.
And, as a last thought, PLI is presenting a One-Hour Briefing titled “Integrating Enterprise Risk Management, Cybersecurity and Compliance in an Era of Big Data Breaches and Vulnerability” on February 13, 2018.
As always, your thoughts and comments are welcome!