SEC Suggests, But Doesn’t Require, Full Disclosure of All Cybersecurity Risks

Even possible threats that aren't material should be reported, the commission advises.
Katie Kuehner-HebertJune 8, 2015

While the Securities and Exchange Commission is not mandating that publicly traded companies disclose all cybersecurity threats, it’s recommending that they lean toward the side of full disclosure, according to a Monday article in the Wall Street Journal.

Companies now have to report cybersecurity risks in their 10-Ks, and the commission is counseling them to include even possible threats whose disclosure is not currently mandated by state breach-notification laws.

“The SEC is becoming of the opinion that it is better to make disclosures if a company has had a number of incidents, even if they are not individually material and even if that’s not the perspective the company or its counsel would bring to the table in responding to a specific incident,” Tony McFarland, an attorney with Bass Berry, told the WSJ.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Companies that have already had to disclose breaches are setting the bar, though best practices for disclosure differ from industry to industry, said Jay Knight, a former SEC staffer and head of the law firm’s capital markets practice group.

“To the extent you’ve had ongoing or recurring cybersecurity events — or even if you haven’t had a breach but have knowledge that your systems have been under attack consistently or are aware of that — including that in disclosure is something the SEC … seems to be encouraging companies to do,” Knight told the WSJ. “This is an area where continual monitoring and diligence and being up to date is important, so you can make sure your own disclosures are accurate … and within the range of other companies’ disclosures in your industry.”