In today’s day and age, it’s hard to imagine any company that is not using the internet or internal technology to drive their business. However, companies, their boards and shareholders may not always understand the full extent of the risk that lies in that technology. Prompted by the irrefutable amount of attention to high-profile cybersecurity incidents, the Division of Corporate Finance of the Securities and Exchange Commission has focused on this issue and recently provided their views on registrants’ cyber risk disclosure obligations.
The Division states, “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”
Why is cybersecurity such a critical issue?
Virtually all activities today rely on computers and the internet – communication (internet, smartphones), shopping (online stores, credit cards), personal records (medical, employee and customer information), accounting records, etc. Cybersecurity entails protecting this information by protecting from, detecting, and responding to attacks.
What risks and consequences do you need to consider?
The risks companies should consider are: 1) misappropriation of sensitive data including proprietary information, 2) corrupted data and 3) operational disruption. These may be carried out by someone gaining unauthorized access or causing processing disruptions. Attacks may lead to consequences such as additional costs, lost revenues, litigation as well as reputational damage.
Which companies are most at risk?
Everyone who maintains data in an electronic environment. Zeena Patel, a leader in EisnerAmper’s Technology Audit and Advisory Services group, notes: “The Division was prompted to provide their views when several large companies were involved in significant attacks. However, data shows that criminals are just as likely to invade smaller and medium-sized organizations who may not have the resources to detect and prevent attacks quickly.”
What disclosures may be required?
The guidance, which does not change the existing rules and regulations, requires companies to disclose any aspects of a company’s business that could have material costs and consequences.
A significant attack, or high risk of attacks (even if currently undetected), may require quantitative and qualitative information within the “Risk Factor” disclosure.
Further consideration must also be given as to the inclusion of costs and consequences in Management’s Discussion and Analysis and Financial Statements.
Lastly, further, lacking operating cybersecurity controls may lead to ineffective Disclosure Controls and Procedures.
How should companies respond to the guidance?
Zeena further states: “Companies should be preparing a risk assessment which also includes third-party providers. Understanding the magnitude and likelihood of potential attack within your current controls will allow you to determine your disclosure requirements.”
The guidance can be found at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
For more information, please contact Saltmarsh, Cleaveland & Gund, (850) 435-8300.
© 2011 EisnerAmper LLP