Disclosures 2012: level of cyber-security risk disclosures varies after new SEC guidance

April 6, 2012

By Robert Kalb

NEW YORK, April 6 (Business Law Currents) – Ever-growing reliance on technology in customer interactions, proprietary data storage and even normal business operations is creating increased risk for companies working to ensure these systems remain uncompromised. As threats of cyber-attacks expand across industries, and given the potential material impact on operations, the security of these digital technologies from internal and external threats is vital.

Prior to newly released SEC guidance, there were no existing requirements to explicitly disclose these cyber-risks. With annual reports now being filed and sent to shareholders, companies have made varied levels of cyber-risk disclosure, and these disclosures may expand in the future with subsequent regulatory oversight.

On October 13, 2011, the Division of Corporation Finance of the Securities and Exchange Commission (DoCF) issued CF Disclosure Guidance: Topic #2 (Guidance), related to disclosure obligations regarding cyber-security risks and cyber-incidents for public companies dependent on digital technologies. The non-binding Guidance was provided in response to a growing sentiment that there needed to be a better matrix within which risk disclosures are made under federal securities laws.

The Guidance leaves the inclusion of cyber-security risks to the individual company, but stresses that relevant risk disclosures do not need to be detailed to the extent they would harm security efforts. However, it recommends that any risk disclosure be company-specific in nature.

While the Guidance contains broad language regarding the manner in which a cyber-attack may occur, cyber-related disclosures should be evaluated when companies prepare disclosures in their Forms 10-K, 20-F, 40-F, as well as financial statements and annual reports. The management discussion and analysis section could be the ideal place to address cyber-security risk or cyber-incidents if costs or consequences related to known incidents or risk of possible incidents present a material event, trend or uncertainty reasonably likely to have a material effect on a company’s results or financial condition.

10-Ks generally highlight cyber-security issues in their risk factor sections with varying degrees of specificity as to the nature and scope of risks. A good example of a disclosure with wide scope is that of NBCUniversal Media, LLC, which states that activities such as computer hacking, cyber-attacks, or “other malicious activities” could disrupt services. It also mentions that security breaches such as misusage and “leakage” could lead to significant capital outlays and that insurance may not cover.

Some 10-K disclosures are more specific and run a lengthier list of risk factors. KBR, Inc’s risk factors section mentions that failure or disruption of their IT systems could disrupt or decrease performance with litigation contingencies clearly delineated. Supermedia Inc states that breaches of cyber/data security measures such as loss of confidential or proprietary data could materially and adversely affect their reputation.

While these examples show that disclosure standards are varied across companies, the notification standards following a security breach appear equally in flux. US Airways Group Inc states in its 10-K that, in light of cyber-security risks, it has seen a heightened legislative and regulatory focus on data security. This focus includes requirements for “varying levels of customer notification” in the event of a breach. Geeknet Inc notes in its risk factors section that a security breach due to cyber-attacks that leads to misuse of customer information could compel the company to comply with “disparate breach notification laws in various jurisdictions.”

Cyber-threats may appear more prominently in certain industries, particularly ones where large amounts of personal data are handled on a daily basis. Retailers, already keenly aware of privacy laws and their effect on how sensitive personal data may be collected and used, need to be especially aware of the risks cyber-threats present. A cyber-attack on the computer systems holding such sensitive information could result in a breach of these privacy laws.

Some retailers have begun to disclose these risks within their risk factors. Chicos FAS Inc states in its 10-K that it has a cyber-security risk due to the nature of its business involving the storage and transmission of customers’ personal information. Chicos also notes that a successful attack could result in its reputation being damaged, potential lost business, and fines due to non-compliance with privacy laws. Similarly, Nordstrom Inc states that its risk extends to its own credit operations, social networking and “other online activities” it uses to connect with customers.

Children’s Place Retail Stores Inc goes into greater detail with respect to the risks cyber-threats pose, and the mitigating actions it has taken. The company notes that a cyber-attack could result in the theft of confidential data, operational delays resulting from disruption of the computer network, negative publicity and lost sales. While the systems and procedures it has in place meet the Payment Card Industry data security standards, the company notes that customers have high expectations for the protection of their personal data.

The healthcare industry also faces an increased cyber-security risk for its storage of sensitive patient information, which is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Retirement home operator AdCare Health Systems Inc sees threats for cyber-attacks to its computer systems in the processing, transmission and storing of sensitive patient information. AdCare notes that if patient data is improperly accessed it may face sanctions or criminal procedures if it were found to be in violation of privacy rules under HIPAA.

When a company experiences a cyber-incident, the Guidance notes that a company may need to disclose the incident and its effects rather than make a general risk disclosure to cyber-threats. Global Payments Inc acknowledged that cyber attacks had breached its systems, and that the unauthorized access included sensitive credit card data. While the company has not been able to measure the full effects of the breach, it disclosed that it has increased its network monitoring and security measures in response. Similarly, Zogenix Inc disclosed that it experienced information system failures that may have been the result of a cyber-attack. The security breach disrupted normal business operations and took a “substantial expenditure” of financial resources to remedy.

While not an outright security breach, Northrim Bancorp Inc disclosed that it is exposed to cyber-attacks in the normal course of business. Northrim believes that these attacks are made for the intended theft of financial assets, but has not incurred material losses related to any attack.

The risk of cyber-attacks in a digital world is unlikely to diminish. Companies must seek to secure themselves from attacks or face the financial, legal and reputational damage that a security breach would cause. Sound corporate governance practices including extensive shareholder communication and timely disclosure will ensure that investors are fully aware of the risks involved. The SEC’s current non-binding guidance is a step in the right direction, but as cyber-threats become an increasing threat on the corporate landscape, further guidance may become far more stringent.

(This article was first published by Thomson Reuters’ Business Law Currents, a leading provider of legal analysis and news on governance, transactions and legal risk. Visit Business Law Currents online at http://currents.westlawbusiness.com. )


We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

Very neat article post.Really looking forward to read more.

Posted by fishinglovers | Report as abusive

Thanks a lot for the post.Really thank you! Much obliged.

Posted by Back pain Philadelphia | Report as abusive

I really liked your article.Really looking forward to read more. Cool.

Posted by Android download | Report as abusive

I loved your blog post.Really looking forward to read more. Cool.

Posted by Accident | Report as abusive

Looking forward to reading more. Great blog article.Really looking forward to read more. Really Cool.

Posted by Muay Thai data | Report as abusive

Looking forward to reading more. Great article post.Thanks Again.

Posted by Mobile phone review | Report as abusive

I really like and appreciate your post.Really looking forward to read more. Keep writing.

Posted by Most Innovative Products | Report as abusive

This is one awesome blog post. Awesome.

Posted by п»їhttp://columbiamortgageplace.com | Report as abusive

I cannot thank you enough for the blog article.Much thanks again.

Posted by mortgages | Report as abusive

Thanks for sharing, this is a fantastic article post.Really looking forward to read more. Awesome.

Posted by mortgage rates online | Report as abusive

Very neat blog.Thanks Again. Awesome.

Posted by Content Marketing Excellence | Report as abusive

Thanks for sharing, this is a fantastic article post.Thanks Again. Really Cool.

Posted by pa truck stops | Report as abusive

I appreciate you sharing this blog article.Thanks Again. Will read on…

Posted by opera mini 7.5.5 apk | Report as abusive

Im grateful for the blog post.Much thanks again. Cool.

Posted by Keith Mann told Bloomberg | Report as abusive

Really appreciate you sharing this blog.Really thank you! Awesome.

Posted by Jewelry Store Stuart | Report as abusive

Thanks for sharing, this is a fantastic blog post.Much thanks again. Will read on…

Posted by п»їM88 | Report as abusive

I cannot thank you enough for the blog article.Thanks Again. Much obliged.

Posted by locking wheelnut | Report as abusive

I love looking through an article that will make people think. Also, many thanks for allowing for me to comment!

Posted by click here to find out more | Report as abusive

A round of applause for your article.Really looking forward to read more. Really Great.

Posted by water ionizer comparison | Report as abusive

Major thanks for the post.Much thanks again. Fantastic.

Posted by cul gratuit | Report as abusive

Thanks for sharing, this is a fantastic blog.Really looking forward to read more.

Posted by tchat | Report as abusive

Thanks so much for the post. Great.

Posted by bitch slurping assholes | Report as abusive

This is a topic that’s near to my heart… Best wishes! Where are your contact details though?

Posted by click here for info | Report as abusive

Very neat article.

Posted by fishing accesories | Report as abusive

Im thankful for the blog article. Fantastic.

Posted by Rene Perras Lawyer Marketing Expert | Report as abusive

Spot on with this write-up, I truly feel this site needs a lot more attention. I’ll probably be back again to see more, thanks for the information!

Posted by view publisher site | Report as abusive

Im obliged for the article post. Really Great.

Posted by My New detail | Report as abusive

Hey, thanks for the blog.Thanks Again. Really Great.

Posted by life ionizer reviews | Report as abusive

Im thankful for the blog.Really thank you! Really Cool.

Posted by invention | Report as abusive

Great blog article.Really looking forward to read more. Awesome.

Posted by Our Muay Thai website | Report as abusive

Thanks so much for the article. Keep writing.

Posted by Scuba Hides | Report as abusive

I think this is a real great blog post.Much thanks again. Will read on…

Posted by Take A Helicopter Ride In Key West! | Report as abusive

I cannot thank you enough for the blog post.Really looking forward to read more. Much obliged.

Posted by seo services bristol | Report as abusive

A round of applause for your article. Cool.

Posted by Hotel Patong | Report as abusive

Wow, great article.Thanks Again. Fantastic.

Posted by bottled alkaline water | Report as abusive

Thank you ever so for you post.Thanks Again. Will read on…

Posted by chat webcam gratuit | Report as abusive

I truly appreciate this blog post.Much thanks again. Keep writing.

Posted by Builder Flint | Report as abusive

I cannot thank you enough for the blog post.Really thank you! Really Cool.

Posted by find new cars | Report as abusive

Looking forward to reading more. Great article.Really looking forward to read more. Great.

Posted by divorce papers online | Report as abusive

Fantastic article.Really thank you! Want more.

Posted by News magazine app | Report as abusive

I was suggested this website by my cousin. I am not sure whether this post is written by him as no one else know such detailed about my difficulty. You are wonderful! Thanks!

Posted by Web hosting | Report as abusive

I used to be able to find good info from your content.

Posted by Recommended Site | Report as abusive

Nice post. I learn something totally new and challenging on blogs I stumbleupon every day. It’s always helpful to read through content from other authors and use something from their web sites.

Posted by more information | Report as abusive

This website really has all the information I wanted about this subject and didn’t know who to ask.

Posted by helpful resources | Report as abusive

I blog frequently and I truly appreciate your information. This great article has really peaked my interest. I’m going to take a note of your site and keep checking for new details about once a week. I subscribed to your RSS feed too.

Posted by link | Report as abusive

This web site really has all the information and facts I needed concerning this subject and didn’t know who to ask.

Posted by try here | Report as abusive

I used to be able to find good info from your articles.

Posted by try this web-site | Report as abusive

There’s definately a great deal to find out about this subject. I love all of the points you’ve made.

Posted by page | Report as abusive

After I initially left a comment I appear to have clicked the -Notify me when new comments are added- checkbox and now each time a comment is added I recieve 4 emails with the exact same comment. Perhaps there is a way you can remove me from that service? Kudos!

Posted by description | Report as abusive

Text-Filter.com flip text facebook twitter

Posted by converteren celsius naar fahrenheit | Report as abusive