After all the chaos and drama surrounding the most recent cybersecurity hack at Sony, the focus on this area has become even more intense.
Clearly, the first priority is doing whatever is possible to manage cybersecurity risk. Action steps must depend on each company’s specific situation, and there is no one-size-fits-all solution. To help in this regard PLI is presenting a One Hour Briefing on February 18, 2015 titled “ Cyber Security After Sony: Practice Points and Risk Mitigation Strategies”. You can learn more about the program at:
We also have archived the webcast of our one-day program on managing cybersecurity at:
From a disclosure perspective, the issues and the high public profile of the Sony hack raise the question whether cybersecurity risk should be disclosed in more detail or depth in upcoming filings. As a reminder, the SEC’s current guidance for cybersecurity risk disclosures is in CorpFin Disclosure Guidance Topic 2 at:
www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
A point to remember for now, which is brought out in the Disclosure Guidance Topic, is this area may not be just a risk factor disclosure. Depending on the nature of the cybersecurity risk your company faces and cybersecurity issues you have encountered, disclosure in:
The business section
Legal proceedings
MD& A, and
The financial statements
may be necessary.
As always, we welcome your thoughts and feedback!