Preparing for Cybersecurity Disclosure as a Public Company

admin March 27, 2025 0
Preparing for Cybersecurity Disclosure as a Public Company

The SEC, investment banks and other stakeholders are increasingly focused on cybersecurity in IPO companies given the potential financial, legal and reputational risks. Cyber incidents, whether unintentional events or deliberate attacks on company networks, can have significant impacts on a company, including the loss or theft of valuable company data; the disclosure of sensitive company, customer or personal information; the destruction or corruption of important files; and the disruption of business operations. These impacts may lead to remediation costs, increased cybersecurity protection costs, lost revenue, litigation, regulatory investigations and reputational harm. As a result of these risks, companies need to carefully consider their disclosure obligations—both in the Form S-1 and in post-IPO filings with the SEC—relating to cybersecurity risks and related processes and practices.

In July 2023, the SEC adopted rule amendments to enhance disclosures about cybersecurity risk management, strategy, governance and incident reporting that have led to operational and governance changes for many public companies. The new rules represent a significant expansion of the SEC’s 2018 guidance on cybersecurity disclosure by public companies. The 2018 guidance, which remains in effect and applies equally to IPO companies, emphasizes the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents, and requires companies to establish and maintain appropriate disclosure controls and procedures that enable them to make accurate and timely disclosures of material cybersecurity events.

CYBERSECURITY DISCLOSURES

The 2023 rules as well as the older 2018 guidance make clear that a number of SEC disclosure requirements can result in an obligation to disclose cybersecurity risks and incidents, depending on a company’s particular circumstances, and, in the case of a publicly held company, to update its prior cybersecurity-related disclosures.

Form S-1

Risk Factors. Under Item 105 of Regulation S-K, cybersecurity risks should be disclosed if those risks are among the “most significant factors that make investments in the company’s securities speculative or risky.” Companies are encouraged to consider the following issues:

  • the occurrence of prior cybersecurity incidents, including their severity and frequency;
  • the probability of the occurrence and potential magnitude of cybersecurity incidents;
  • the adequacy of preventive actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
  • the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • the potential for reputational harm;
  • existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies, including litigation and regulatory enforcement; and
  • remediation costs associated with cybersecurity incidents.

Caution should be taken not to describe risks that have already materialized as hypothetical in nature. This can be especially challenging for cyber disclosure when there is a pattern of attempted, but seemingly thwarted, incursions. Such a pattern does not, however, require that companies disclose granular detail about any incidents that may compromise their remediation efforts or cybersecurity defenses.

MD&A. Regarding a company’s disclosure of known events, trends and uncertainties under Item 303 of Regulation S-K, the 2018 guidance notes that companies should consider “the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents, among other matters.” Other potential costs that companies should consider include loss of intellectual property, costs of remediation and preventive measures, insurance, litigation, regulatory investigations, legislative developments, and reputational and competitive harm.

Business. Appropriate disclosure must be provided regarding a company’s description of its business under Item 101 of Regulation S-K, particularly where “cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions.”

Legal Proceedings. The occurrence of a cybersecurity incident may require disclosure under Item 103 of Regulation S-K if it results in a material pending legal proceeding.

Financial Statements. A cybersecurity incident may also impact a company’s financial statements, and the 2018 guidance states the SEC’s expectation “that a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.”

Form 10-K

Cybersecurity Risk Management, Strategy and Governance. In addition to the above disclosures, new Item 1C to Form 10-K directs public companies to provide the information required by new Item 106 of Regulation S-K. Annually, a company must disclose company processes to assess, identify and manage material cybersecurity risks; any material impacts the company has suffered from cybersecurity risks, including previous cybersecurity incidents; management’s role and expertise in assessing and managing material cybersecurity risks; and the board of directors’ oversight of cybersecurity risks. Disclosure is also required regarding the relevant experience of members of management who are responsible for assessing and managing cybersecurity risk, which need only be in such detail as “necessary to fully describe the nature of the expertise.” This may include prior cybersecurity work experience; any relevant degrees or certifications; or any knowledge, skills or additional background in cybersecurity.

FORM 8-K REPORTING OBLIGATIONS

What disclosure is required? In July 2023, the SEC adopted Item 1.05 (Material Cybersecurity Incidents) of Form 8-K, which requires a company, if it determines that it has experienced a material cybersecurity incident, to report under Item 1.05 of Form 8-K the material aspects of the nature, scope and timing of the incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.

How does the SEC define a cybersecurity incident? “Cybersecurity incident” means an unauthorized occurrence, or a series of related unauthorized occurrences, whether unintentional or malicious, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity or availability of a company’s information systems or any information residing therein. The term “information systems” casts a wide net, capturing electronic information resources owned or used by the company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the company’s information to maintain or support the company’s operations. Because the definition of “information systems” covers electronic information resources “owned or used” by the company, a company is required to disclose a cybersecurity incident suffered by a third-party service provider’s system if that incident has a material impact on the company.

What is the scope of disclosure? While companies should continue to ensure that disclosure of cyber risk and the extent of incidents is accurate and not misleading, companies need not disclose “specific or technical information” about their incident response or cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the company’s response or remediation of the incident.

How should a company assess the materiality of a cybersecurity incident? Whether a cybersecurity incident is “material” is to be analyzed under the traditional securities law definition of materiality, meaning an incident is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” Companies must consider both qualitative and quantitative factors when assessing the materiality of a cybersecurity incident, including, but not limited to:

  • quantitative financial impacts, including reasonably expected lost revenue, remediation costs, expenses from legal and regulatory proceedings, and impacts on net income and total and current assets;
  • operational importance of affected systems, including any impact to the company’s key systems or information the company considers its “crown jewels”;
  • duration of the incident and disruption, method of detection and readiness of response;
  • ability to restore affected systems and the expected integrity of those systems once restored;
  • nature, scope and magnitude of compromised data;
  • harm to reputation, brand perception, and relationships with customers, vendors and other business partners; and
  • likelihood of regulatory actions and litigation.

The inability to determine the full extent of the incident or ongoing nature of the company’s investigation is not a relevant consideration. Companies may consider voluntarily disclosing cyber incidents that have not been determined to be material through other channels, including Form 8-K Items 7.01 or 8.01, but should continue to reassess Item 1.05 reporting obligations as new developments arise.

DISCLOSURE CONTROLS AND PROCEDURES

Every public company must maintain “disclosure controls and procedures” designed to ensure that information required to be disclosed in SEC reports is accurately recorded, processed, summarized and reported within the time periods specified in SEC rules, and is accumulated and communicated to the company’s management to allow timely decisions regarding required disclosure. In light of new Item 1.05 of Form 8-K, it is important for companies to coordinate their cybersecurity incident response plans with appropriate disclosure controls and procedures relating to cybersecurity incidents that may be material. As an initial matter, companies should focus on their internal processes for evaluating incidents and escalating information within the organization, their incident response procedures, the interaction of their technical experts with their disclosure committee (or other group within the company that performs a similar function), and the process for promptly assessing the materiality of events for purposes of Form 8-K reporting.

Management and Board Oversight. The new rules require disclosure of management and board oversight of cyber risk, including the reporting processes used to escalate information. Companies should identify the personnel who are most likely to become aware of a cyber incident and educate them on reporting requirements and communication channels. Companies are also encouraged to review the allocation of cyber risk responsibility and oversight between the board and management and educate directors and the IT team on reporting obligations and trends.

Incident Response Plan. A comprehensive incident response plan is a central tool companies should implement before a threat materializes to ensure compliance with disclosure obligations and readiness of response.

Updating Controls and Procedures. The constantly changing threat of cyberattack dictates that companies regularly review and update disclosure controls and procedures to reflect technological realities, the evolving threat environment, disclosure trends at peer companies and corporate developments. Companies are encouraged to assess and benchmark their controls against recognized cybersecurity frameworks, such as those published by the National Institute of Standards and Technology, or other suitable industry standards. Companies that are active in acquisitions should also quickly fold new subsidiaries into the control environment and add cybersecurity as a key item for due diligence and integration planning.

Regulation FD. The 2018 guidance indicates that companies should adopt policies and procedures to prevent selective disclosures of material nonpublic information regarding cybersecurity risks and incidents and ensure that any Regulation FD-required disclosure is made either simultaneously (for intentional disclosures) or promptly (for unintentional disclosures).

In a June 2024 statement, the Director of the SEC Division of Corporation Finance confirmed that the new cybersecurity rules did not limit private, Regulation FD-compliant disclosure of cyber incidents, including disclosure to parties under a duty of confidentiality or otherwise not subject to Regulation FD.

CYBERSECURITY ENFORCEMENT

In October 2024, the SEC announced charges against four companies involving materially misleading cybersecurity disclosure. The charges stemmed from an investigation related to the SEC’s case against SolarWinds. The SEC alleged that each of the companies negligently minimized its cybersecurity incident in public disclosures, including, in two of the cases, framing cybersecurity risks in generic or hypothetical terms despite knowing the threats had materialized, and in the others, understating the impacts from cyber incidents. These companies agreed to pay civil penalties between $990,000 and $4 million to settle the charges.

These actions reflect a trend of SEC enforcement centered on misleading disclosure and deficient controls and procedures. For example, in recent years, three other companies have agreed to pay civil penalties of $35 million, $1 million and $2.1 million, respectively, to settle similar cybersecurity charges.

Insider Trading. Beyond disclosure, the 2018 guidance reminds companies and their insiders to implement policies and procedures ensuring compliance with the insider trading laws in connection with information about cybersecurity risks and incidents. In designing compliance controls, companies are encouraged to consider whether to impose trading restrictions when facing cybersecurity incidents.

link

More Stories

Laboratory Information Systems Market Competitive Analysis

Laboratory Information Systems Market Competitive Analysis

admin March 28, 2025 0
Jahez International Company for Information Systems Technology’s (TADAWUL:6017) Stock Has Shown Weakness Lately But Financial Prospects Look Decent: Is The Market Wrong?

Jahez International Company for Information Systems Technology’s (TADAWUL:6017) Stock Has Shown Weakness Lately But Financial Prospects Look Decent: Is The Market Wrong?

admin March 22, 2025 0
Geranium Geospatial Solutions: Fayetteville-based company utilizes geographic information systems to provide “smarter solutions through strategic insight”

Geranium Geospatial Solutions: Fayetteville-based company utilizes geographic information systems to provide “smarter solutions through strategic insight”

admin March 21, 2025 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Thumzup Media Corporation Enhances Software Development with Cutting-Edge AI Technology

Thumzup Media Corporation Enhances Software Development with Cutting-Edge AI Technology

admin March 30, 2025 0
This 25,000mAh Anker Power Bank Can Charge Both Phones and Laptops, Now at a Record Low Price on Amazon

This 25,000mAh Anker Power Bank Can Charge Both Phones and Laptops, Now at a Record Low Price on Amazon

admin March 30, 2025 0
MTN, Airtel Africa Sign Landmark Network Infrastructure-Sharing Deal

MTN, Airtel Africa Sign Landmark Network Infrastructure-Sharing Deal

admin March 30, 2025 0
Cybersecurity firms brace for impact of potential Oracle Cloud breach

Cybersecurity firms brace for impact of potential Oracle Cloud breach

admin March 30, 2025 0
Former Arista COO launches NextHop AI for customized networking infrastructure

Former Arista COO launches NextHop AI for customized networking infrastructure

admin March 29, 2025 0