Cybersecurity — Cracking the Code on Upcoming Disclosures

Why It Is Important to Revisit All Cybersecurity Disclosures

The SEC’s Division of Enforcement has been, and we expect it will continue to be, focused on cybersecurity-related investigations and enforcement actions. These enforcement actions indicate that, particularly if a company experiences a material cybersecurity incident, the SEC will likely carefully review and compare the company’s SEC filings and other public statements to assess the accuracy and completeness of the company’s assertions about its cybersecurity practices. Internal legal counsel should be confident that internal documentation aligns with statements made in SEC filings and other public statements. Inadequate, incomplete, or inaccurate disclosure, and the absence of disclosure controls and procedures to promote accurate disclosure, exposes companies to the risk of significant liability.

Guidelines for Cybersecurity Disclosures

1. Start Early and Consider Who Will Draft: Disclosures must reflect a company’s actual practices and not what a company states in its policies or aspires to do. Often, the person who may know the specific details regarding cybersecurity measures at a company is someone in a technical role. It may be best to have company personnel in the cybersecurity or information technology function provide early input on an initial draft.
2. Allow Time for Multiple Levels of Internal Review: Additional time for review should be added into the Form 10-K or 20-F disclosure drafting process. Specifically, consider building in time for
   • Multiple layers of review, including:
     • Company cybersecurity experts
     • Review and iterations with the disclosure committee and/or management
     • External legal review, including review by counsel with expertise in public reporting, cybersecurity, and incident response
     • Legal counsel involved in any cybersecurity incident or lawsuit
   • Locating supporting documents and creating a file to back up statements
   • XBRL tagging: in future years, beginning one year after the initial compliance date, companies will be required to tag the Risk Management, Strategy, and Governance Disclosure in Inline XBRL, and additional time may need to be included to accommodate XBRL tagging.
3. Review All Cybersecurity-Related Disclosures, Not Just Those Contained in SEC Filings: Companies often overlook disclosures on their own website, press releases, or company reports (such as ESG reports) related to cybersecurity, and those disclosures may receive little or no review by the legal team. In assessing its cybersecurity-related disclosures, a company should conduct a review of all of its publicly available statements to ensure the accuracy of such statements and that the statements made in its SEC filings are consistent.
4. Be Mindful of Terminology: Terminology that sounds similar to the average person may have different meanings in the context of cybersecurity. Clear communication and involvement with the company’s internal security experts and/or Goodwin’s cybersecurity team is necessary to ensure terminology is used accurately.
5. Disclosure Needs to Be Backed Up: If factual statements are made in SEC filings or anywhere publicly, it is a best practice for the company to create a backup file of documentation that supports the statements made related to cybersecurity.
6. Language Needs to Be Precise: In drafting disclosure, companies should be careful to avoid puffery or language more appropriate for marketing materials. Companies sometimes make statements that are written as factual but in reality are goal-based or aspirational. For example, some companies state that their cybersecurity policies or programs “ensure” a secure cybersecurity environment. Legal should either adjust those statements or clarify that they are aspirational, such as rephrasing “ensure” to “designed to ensure.”
7. Disclosure Should Match Company Practice: Companies should be careful that they do not overstate the extent of their practices (even if practice is different from what is included in company policy). For example, a company should not state that it satisfies a cybersecurity framework if it does not have the framework in place for nearly all of its controls. To support statements made in SEC reports related to the new Risk Management, Strategy, and Governance Disclosure, companies should document internal processes to demonstrate oversight is occurring consistently with descriptions included in SEC filings. If there is a cybersecurity incident, companies and regulators will compare a company’s disclosure against what was done in practice based on internal records.¹
8. Consider Whether Disclosure Will Lead to More Security Vulnerabilities: Disclosures should be carefully drafted so they provide sufficient details that are not generic and provide useful information to investors, while at the same time not providing a roadmap to vulnerabilities for hackers. The SEC has recognized that a company “should not make detailed disclosures that compromise its cybersecurity efforts.”² Companies should be careful in drafting to consider whether any disclosure will affect its security efforts.

Specific Form 10-K Cybersecurity Disclosures

Included below are different sections of a report on Form 10-K where a company and its counsel should consider whether cybersecurity-related disclosures should be included.

A. Overall Principles

Focus on Materiality. As a guiding principle, information is required to be disclosed if it is material to investment decisions of investors (but need not have definitively caused a reasonable investor to change his or her investment decision). Materiality determinations are fact-specific and not solely reliant on quantitative factors. If an event is in the future, materiality determinations balance both the probability the event will occur and the significance of the event to the company. Note, however, that Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) requires the discussion of “known trends” and this discussion, as noted below, requires a slightly different materiality analysis. While management is sometimes reluctant to disclose certain information, when making a materiality determination, always remember that materiality determinations will be assessed in hindsight. In addition, the head of the SEC’s Division of Enforcement recently stated “[the SEC’s Division of Enforcement] ha[s] zero tolerance for gamesmanship around the disclosure decision.”³

Omissions Matter. A company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available. If there is a cybersecurity incident and information evolves, disclosure should be updated in each filing for the most recent information available. SEC guidance specifically notes that companies should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident.⁴

B. Business Section

Item 101 of Regulation S-K requires a discussion of a company’s business, including development efforts for new or enhanced products and competitive conditions. In practice, the frequency of cybersecurity-related language in the business section typically depends on the company’s industry. Companies can consider the following questions as a basis for starting to think through whether any additional disclosures should be included in the business section:

• Did any cybersecurity incident or risks materially affect the company’s business?
• Did a cybersecurity incident affect its development of products?
• Are cybersecurity regulations affecting the company’s business?

C. Item 106 — Risk Management Disclosures

Item 106(b)(1) of Regulation S-K requires companies to describe, in their upcoming Form 10-K or 20-F, their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats. The SEC intentionally used the term “processes” to indicate companies should describe their practices rather than operational details that could be exploited. The rule also requires companies to describe processes insofar as they relate to material cybersecurity risks and notes investors should be able to ascertain whether such risks resulted in the adoption of processes to assess, identify, and manage material cybersecurity risks. A nonexhaustive list of risks companies can consider includes operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation, and legal risk and reputational risk. The aim is to provide sufficient detail for investors to understand a company’s risk profile. Item 106(b)(1) provides the following nonexclusive list of disclosure items:

• Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes;
• Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes;⁵ and
• Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

The SEC indicated that the above elements are nonexclusive, and disclosure is required for whatever information is necessary for a reasonable investor to understand a company’s cybersecurity processes.

Item 106(b)(2) requires companies to describe “whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.” The SEC has stated that “registrants should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident.”⁶

Item 106(c)(1) requires companies to describe the role of their board of directors in oversight of risks from cybersecurity threats and, if applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks. While the adopted rules do not require companies to disclose the cybersecurity expertise of members of its board of directors, the SEC noted that “a registrant that has determined that board-level expertise is a necessary component to the registrant’s cyber-risk management would likely provide that disclosure pursuant to Items 106(b) and (c).”⁷

Item 106(c)(2) requires companies to describe management’s role in assessing and managing material risks from cybersecurity threats. The rule provides the following nonexclusive list of disclosure items:

• Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;⁸
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

D. MD&A

Item 303 of Regulation S-K provides that MD&A should include both backward- and forward-looking disclosures. MD&A is required to include information that is material and should include not only material information required by Item 303 but also any other material information that is necessary to make the required disclosures not misleading.

As discussed in more detail below, backward-looking disclosures in MD&A on the impact of cybersecurity-related costs or incidents on a company’s financial condition are likely to be easier to assess than forward-looking disclosures. In this context, consider the following in reviewing MD&A:

• Costs of ongoing cybersecurity efforts, including prevention, cybersecurity incidents, and risks of potential cybersecurity incidents;
• Costs related to a cybersecurity disruption, such as hiring third-party consultants and forensic experts to assist in restoration and mediation and insurance proceeds from any disruption;
• Indirectly related costs, such as loss of intellectual property and the immediate costs of the incident, as well as the costs associated with implementing preventive measures, maintaining insurance, responding to litigation and regulatory investigations, preparing for and complying with proposed or current legislation, engaging in remediation efforts, addressing harm to reputation, and the loss of competitive advantage; and
• If performance is significantly dependent on a company’s ability to continue to innovate and introduce new information technology solutions.

MD&A requires descriptions of matters that have had a material impact on operations, as well as matters that are reasonably likely to have a material impact on future operations. It will require careful analysis by companies and registrants to interpret the requirement of when a potential future impact related to a cybersecurity risk or incident should be disclosed. The rules require the disclosure of “known trends or uncertainties that . . . are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income” in relation to results of operations and “known trends or any known demands, commitments, events, or uncertainties” that will or are reasonably likely to result in material changes to liquidity and known material trends in capital resources.⁹ As compared to the traditional materiality analysis, past SEC guidance has provided a different standard for when forward-looking disclosure is required.¹⁰ SEC guidance has stated a disclosure duty exists where the known trend, demand, commitment, event, or uncertainty is both currently known to management and reasonably likely to have material effects on the registrant’s financial condition and results of operation. Where a trend, demand, commitment, event, or uncertainty is known, management must make the following assessments as of the time the determination is made:

• Is the known trend, demand, commitment, event, or uncertainty likely to come to fruition? If management determines that it is not reasonably likely to occur, no disclosure is required.
• If management cannot make that determination, it must evaluate objectively the consequences of the known trend, demand, commitment, event, or uncertainty on the assumption that it will come to fruition. Disclosure is then required unless management determines that a material effect on the registrant’s financial condition or results of operations is not reasonably likely to occur.¹¹

In addition, the assessment must be made in an objectively reasonable manner. The SEC has stated that the standard “reasonably likely to occur” is not the same as the probability and magnitude test, and, if a known trend would reasonably be likely to have a material effect on the registrant’s future results or financial condition, disclosure is required.¹² This analysis will be particularly challenging if, for example, there is a cybersecurity breach for which little information is immediately available. If management is unable to determine that a material effect on future financial condition or results of operations is not reasonably likely to occur, MD&A disclosure on the potential effects would likely be required.

E. Risk Factors

Consider relevant buckets of risks. While most companies already have risk factor disclosures related to cybersecurity, companies should examine and update their current risk factors, given heightened regulatory scrutiny. If cybersecurity risks are integrated into another risk factor that includes other unrelated risks, one or more stand-alone risk factors is recommended, given the importance of cybersecurity to nearly every business. Prior guidance by the SEC from 2018 provided the following issues for companies to consider when evaluating cybersecurity risk factor disclosures:

• The occurrence of prior cybersecurity incidents, including their severity and frequency;,
• The probability of the occurrence and potential magnitude of cybersecurity incidents;
• The adequacy of preventive actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
• The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
• The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
• The potential for reputational harm;
• Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
• Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.¹³

Consider risks related to recent acquisitions. If the company is acquisitive, be sure to include risk factors that arise in connection with acquisitions, such as efforts to remediate the cybersecurity systems of acquired companies, increased costs to assess and remedy vulnerabilities, or similar risks.

Risk factors should not be generic. To be useful to investors, risk factor disclosures may require the disclosure of previous or ongoing cybersecurity incidents to place the risk discussion in the appropriate context.¹⁴ Even if a past security breach or cybersecurity attack did not have a material impact on the company, companies should disclose that they have experienced cybersecurity incidents to contextualize the risk factor disclosure. Counsel should carefully review language to ensure the disclosure is technically accurate and no realized risks are described as hypothetical.

Do not describe a risk as hypothetical if the risk has materialized. The SEC has consistently indicated that risks that are described as merely hypothetical, if they have occurred, imply that the event has not occurred and are therefore misleading. For example, if a company has experienced a cybersecurity incident, hypothetical disclosure of potential risks if a cybersecurity incident were to occur is not sufficient to satisfy a company’s reporting obligations. Companies would need to conduct a careful review of the language in the risk factors to ensure risks related to such incident are not described hypothetically. For example, language such as “attacks may occur” should be revised to state “attacks have in the past and may in the future occur.”

Revisit and update risk disclosures in each filing. In addition, as cybersecurity risks and the extent of repercussions from a cybersecurity incident evolve over time, risk factor disclosures in a company’s reports need to be updated with every filing to make sure they reflect current information.

F. Disclosure Controls and Procedures

In its 2018 guidance,¹⁵ the SEC emphasized the importance of disclosure controls and procedures, as well as protocols for determining potential materiality, in order to provide timely information to investors about material cybersecurity risks and incidents. Controls and procedures should enable companies to identify cybersecurity risks and incidents, make sure information is reported up to management and appropriate committees, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communication between technical experts and disclosure advisers, and make timely disclosures regarding such risks and incidents. The certifications required under Exchange Act Rules 13a-14 and 15d-14 by a company’s principal executive officer and principal financial officer and Item 307 disclosures requiring conclusions on the effectiveness of disclosure controls and procedures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.

G. Financial Statements

The SEC has released guidance suggesting that companies consider the following potential impacts related to cybersecurity in their financial statements:

• Expenses related to investigation, breach notification, remediation and litigation;
• Loss of revenue, the need to provide customers with refunds or other incentives, or damage to customer relationships;
• Claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
• Diminished future cash flows, impairment of intellectual, intangible, or other assets; recognition of liabilities or increased financing costs.¹⁶

H. Legal Proceedings

Item 103 requires disclosure of material pending legal proceedings, including any related to cybersecurity issues. Companies are required to include the name of the court or agency in which the proceedings are pending, the date instituted, the principal parties, a description of the proceeding’s facts, and relief sought.

 

---

^[1] The head of the SEC’s Division of Enforcement stated in 2023 that “firms need to have real policies that work in the real world, and then they need to actually implement them.” Gurbir S. Grewal, Director, Div. of Enforcement, U.S. Securities & Exchange Commission, Remarks at Financial Times Cyber Resilience Summit, June 22, 2023.

^[2] The SEC has also stated “we do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” The SEC provided the example that a company should not provide a “roadmap” for those who seek to penetrate a company’s security protections. Securities Act Release No. 10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Similarly, the SEC recognized this concern in the adoption of the new Item 1.05 Form 8-K requirement by including the instruction that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

^[3] Gurbir S. Grewal, Remarks at Financial Times Cyber Resilience Summit, June 22, 2023.

^[4] Securities Act Release No. 10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

^[5] Item 106(b) does not require such parties to be named, nor their specific services to be described. See 17 C.F.R. § 229.106(b).

^[6] Securities Act Release No. 11216, Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.

^[7] Securities Act Release No. 11216, Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.

^[8] Relevant expertise of management may include, for example, “[p]rior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.” See 17 C.F.R. § 229.106(b). This disclosure should generally indicate whether the registrant has a chief information security officer (although the final rules do not require disclosure whether there is a CISO).

^[9] Item 303(b) of Regulation S-K, 17 C.F.R. § 229.303(b).

^[10] “Required disclosure is based on currently known trends, events, and uncertainties that are reasonably expected to have material effects, such as: A reduction in the registrant’s product prices; erosion in the registrant’s market share; changes in insurance coverage; or the likely non-renewal of a material contract. In contrast, optional forward-looking disclosure involves anticipating a future trend or event or anticipating a less predictable impact of a known event, trend or uncertainty.” Securities Act Release No. 6835, Exchange Act Release No. 26831 (May 18, 1989), Management's Discussion and Analysis of Financial Condition and Results of Operations; Certain Investment Company Disclosures, May 18, 1989.

^[11] Securities Act Release No. 6835, SEC Interpretation: Management’s Discussion and Analysis of Financial Condition and Results of Operation, Release No. 33-6835, May 18, 1989.

^[12] The SEC has stated:

"Taking these concepts into account, when applying the ‘‘reasonably likely’’ threshold, registrants should consider whether a known trend, demand, commitment, event, or uncertainty is likely to come to fruition. If such known trend, demand, commitment, event, or uncertainty would reasonably be likely to have a material effect on the registrant’s future results or financial condition, disclosure is required. Known trends, demands, commitments, events, or uncertainties that are not remote or where management cannot make an assessment as to the likelihood that they will come to fruition, and that would be reasonably likely to have a material effect on the registrant’s future results or financial condition, were they to come to fruition, should be disclosed if a reasonable investor would consider omission of the information as significantly altering the mix of information made available in the registrant’s disclosures. This analysis should be made objectively and with a view to providing investors with a clearer understanding of the potential material consequences of such known forward-looking events or uncertainties."

Management’s Discussion and Analysis, Selected Financial Data, and Supplementary Financial Information, Securities Act Release No. 10890, Exchange Act Release No. 90459, Final rule: Management’s Discussion and Analysis, Selected Financial Data, and Supplementary Financial Information, Feb. 10, 2021.

^[13] Securities Act Release No. 10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

^[14] In past guidance, the SEC provided the following example:

"If a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations. Past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure. In certain circumstances, this type of contextual disclosure may be necessary to effectively communicate cybersecurity risks to investors."

Securities Act Release No. 10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

^[15] Securities Act Release No. 10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

^[16] Securities Act Release No. 10459, Commission Statement and Guidance on Public Company Cybersecurity Disclosures.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.