On October 13, 2011, the Security Exchange Commission, Division of Corporations, released “new guidance” to the shareholder disclosure requirements of publicly traded companies. Specifically, the SEC noted the significance of “cyber risks” in the scheme of assessing the overall risks and liabilities of a business. The rationale for recommending the inclusion of cyber risks relied heavily upon the breadth of exposure they can entail, including:
Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack; Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; Litigation; and Reputational damage adversely affecting customer or investor confidence.
What is the effect of this new guidance? If nothing else, it certainly demonstrates near codification/recognition of the substantial impact any cyber security breach can have on the financial operation of a company. Only time will tell if alleged failures to adequately disclose cyber risk or cyber incidents in accord with these recommendations will open the door to new investor/shareholder claims of insufficient and/or misleading disclosures.