Investors, lenders and other stakeholders have been vocal in recent years about pushing companies to provide more information in their financial reports about cybersecurity. Could your company do a better job disclosing cyberrisks and recent hacks?
Most public companies could do better, according to recent testimony during congressional hearings by Jay Clayton, Chairman of the Securities and Exchange Commission (SEC). Here are ways his agency is attempting to “refresh” the disclosure guidance.
Updating the guidance
The SEC doesn’t expect to overhaul its Disclosure Guidance: Topic No. 2, Cybersecurity. Rather, it plans to consider whether important information about cybersecurity should be disclosed to stakeholders within the context of the existing rules. For example, companies may need to beef up their management’s discussion and analysis (MD&A) and footnote disclosures to reflect potential cyberrisks and material financial implications of data breaches.
The current guidance on cybersecurity, which was published in 2011, doesn’t include a specific requirement for companies to disclose computer system intrusions. The SEC’s effort to update the guidance comes amid concerns that more public companies have been experiencing attacks to their computer systems, but their disclosures haven’t been timely or informative enough.
Changes in the works
Regulators in the SEC don’t know whether the update will be issued in the form of staff-level guidance or a regulatory release approved by the SEC’s commissioners. But they’ve decided to address two key areas in the update:
- Financial reporting controls and procedures that identify and disclose cybersecurity threats in a timely manner, and
- Corporate strategies and policies regarding cybersecurity prevention, detection and breach response.
Many companies welcome additional guidance from the SEC, because it can be difficult to determine the appropriate time to disclose a hack into their systems.
On the one hand, companies feel a responsibility to share relevant information openly and honestly with stakeholders. On the other, they don’t want to prematurely disclose information about a breach before they know the extent of the damage or to release inaccurate information that later needs to be revised. Company insiders may also be working with law enforcement, in which case they don’t want to disclose information that could compromise the investigation.
Regardless of whether your business is public or private, it’s important to assemble a team of professional advisors — including legal, insurance and financial experts — to identify risk factors and to handle breach response, measure the impact and mitigate potential losses. We can help you provide transparent and timely information to your stakeholders, so feel free to contact us.
Information provided on this web site “Site” by Thompson Greenspon is intended for reference only. The information contained herein is designed solely to provide guidance to the user, and is not intended to be a substitute for the user seeking personalized professional advice based on specific factual situations. This Site may contain references to certain laws and regulations which may change over time and should be interpreted only in light of particular circumstances. As such, information on this Site does NOT constitute professional accounting, tax or legal advice and should not be interpreted as such.
Although Thompson Greenspon has made every reasonable effort to ensure that the information provided is accurate, Thompson Greenspon, and its shareholders, managers and staff, make no warranties, expressed or implied, on the information provided on this Site, or about any other website which you may access through this Site. The user accepts the information as is and assumes all responsibility for the use of such information. Thompson Greenspon also does not warrant that this Site, various services provided through this Site, and any information, software or other material downloaded from this Site, will be uninterrupted, error-free, omission-free or free of viruses or other harmful components.
Information contained on this Site is protected by copyright and may not be reproduced in any form without the expressed, written consent of Thompson Greenspon. All rights are reserved.
Ready to talk to one of our specialists?
Our specialists are all seasoned professionals who have years of experience working within your industry. Reach out to us today to schedule a consultation.