SEC: Businesses Need to Disclose More about Cybersecurity Practices

Just when you thought that federal agencies might finally get the message, the Securities and Exchange Commission has found a new area in which they may want to regulate, or at least require businesses to manage more paperwork.

On October 13, the SEC’s Division of Corporation Finance published a Disclosure Guidance relating to cyber security. The basic thesis of the guidance is that while current requirements do not explicitly refer to cybersecurity, it is the Division’s belief that the requirements “may impose an obligation on registrants to disclose such risks and incidents.” For example, businesses may need to disclose risk factors for investors, such as certain aspects of the business or operations that could create cybersecurity risks and the potential costs and consequences. Registrants with the SEC should avoid giving just boilerplate disclosures, though, which should be “tailored to their particular circumstances.” Good luck trying to figure out how particular it should be.

The SEC’s Division also says that businesses should disclose costs of cyber protection, whether cyber incidents materially affect products, services, and relationships, and whether the company is involved in any legal proceedings. While the guidance says that providing details of cyber security measures is not necessary, it is difficult to see in the guidance where the line is drawn between providing a “roadmap” for future attacks and the more general disclosures the SEC is saying are required.

Not only does this create even more of a burden on businesses that are regulated by the SEC, it also may open up the door to even more shareholder activism. Will some business be the target of both a cyber attack and a shareholder activist lawsuit as a result within short order? Being a victim of a crime is punishment enough – having to disclose intimate details of it and how it affected internal operations of the business leads to unknowns that do not bode well for the business community.

The SEC seems to be in a mode of regulating things that may not even be their domain lately. A Legal Pulse post in August focused on the SEC’s de-facto regulation of fracking. It’s hard to say what the SEC will set its sights on next, but you can guarantee that they will find another way to create more red tape and government burden on business if they have the chance.