SEC Issues Guidance on Cyber Risk Disclosure

On October 13, 2011, the United States Securities and Exchange Commission (SEC) issued formal guidance on how U.S. publicly traded companies should disclose cybersecurity risks and data exposure.  In the guidance, the SEC states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

Of course,  Iconix is not in the business of giving legal advice and we suggest that anyone interested in this topic should read the SEC formal guidance and consult with their attorneys.  We are in the business of providing technology that improves the integrity of email. For email correspondence with customers, we offer our Truemark service.  For internal email correspondence, we offer our SP Guard solution.

For further information on our email solutions, contact us at 408-727-6342, ext 3 or use our online form.


Comments are closed.