Firm Memoranda

SEC Provides Guidance on Cybersecurity Risks and Cyber Incidents

Date: 10/21/11

On October 13, 2011, the Division of Corporation Finance of the Securities and Exchange Commission (the "SEC") issued Disclosure Guidance providing the Division's views on disclosure obligations relating to cybersecurity risks and cyber incidents. Although the Guidance focuses on one type of risk, the analysis of disclosure obligations also applies to business and operational risks generally. The Guidance notes that SEC registrants have become increasingly dependent on digital technologies, which has increased the significance of cybersecurity risks and cyber incidents, such as denial-of-service attacks on websites or unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. The Division highlights costs and negative consequences from cyber incidents that could require discussion under existing disclosure obligations, including:

  • remediation costs, including liability for stolen assets or information, repairing system damage or
    incentives to customers or business partners to maintain business relationships;
  • increased cybersecurity protection costs;
  • lost revenues due to misuse of proprietary information or loss of customers;
  • litigation; and
  • reputational damage adversely affecting customer or investor confidence. 

SEC Provides Guidance on Cybersecurity Risks and Cyber Incidents.pdf (pdf | 42.96 KB )