Market Trends 2020/21: Cybersecurity-Related Disclosures – Technology

SEC Focus

The Securities and Exchange Commission (SEC) has been focused on
cybersecurity issues for over a decade, tracing back to its initial
guidance on this topic in 2011. On October 16, 2018, the SEC
released a report pursuant to Section 21(a) (15 U.S.C. § 78u)
of the Securities Exchange Act of 1934, as amended (the Exchange
Act) detailing its investigation of several public companies that
were victims of cybersecurity-related frauds. See Release No.
84429, available here. While the SEC decided not to pursue
enforcement actions against these companies, it emphasized the duty
of a public company to comply with the requirements of Section
13(b)(2)(B) (15 U.S.C. § 78m) of the Exchange Act to devise
and maintain a sufficient system of internal accounting
controls.

On December 6, 2018, former SEC Chairman Jay Clayton, in a
speech, highlighted cybersecurity risks as one of the prominent
challenges the SEC faces. Former Chairman Clayton reiterated the
SEC's statement and interpretive guidance regarding disclosures
on cybersecurity risks and incidents issued earlier in 2018 (2018
Guidance).

Under the 2018 Guidance, public companies are required to
disclose cybersecurity risks and cyber incidents to the extent that
these are material. In evaluating whether cybersecurity risks or
incidents are material, a public company should consider, among
other things, the nature and magnitude of cybersecurity risks or
prior incidents; the actual or potential harms of a cyber breach to
the company's reputation, financial condition, or business
operation; the legal and regulatory requirements to which the
company is subject; the costs associated with cybersecurity
protection, including preventive measures and insurance; and the
costs associated with cybersecurity incidents, including remedial
measures, investigations, responding to regulatory actions, and
addressing litigation.

Once cybersecurity risks and incidents are determined to be
material, a public company should provide complete and accurate
information in its periodic reports regarding these risks,
incidents, and related investigations or litigation.

Public companies generally include cybersecurity-related
disclosures in the following sections of their offering materials
and periodic reports: Risk Factors, Business, and Management's
Discussion and Analysis of Financial Condition and Results of
Operations (MD&A). Most of the initial cybersecurity
disclosures were generic boilerplate provisions or laundry lists of
risks applicable to almost any company. These disclosures simply
included general statements about cybersecurity risks and incidents
but did not particularly disclose how cybersecurity risks and
incidents might impact the company, its management, operations, and
prospects. At present, companies commonly provide detailed
discussions of ongoing cybersecurity litigations and actions in
their notes to financial statements that are incorporated by
reference in offering materials or periodic reports. This practice
note identifies some cybersecurity-related disclosures that offer
more detailed discussions of effects.

For further information on public company disclosure in general,
see
Top 10 Practice Tips: Periodic and Current Public Company
Reporting,
Public Company Periodic Reporting and Disclosure Obligations,
and
Periodic and Current Reporting Resource Kit.

Other SEC Activity on Cybersecurity

On January 27, 2020, the SEC's Office of Compliance
Inspections and Examinations (OCIE) issued a report of observations
arising from OCIE's examinations on how various broker-dealers,
investment advisers, clearing agencies, national securities
exchanges, and other SEC registrants manage cybersecurity risks and
enhance operational resiliency. The report is available at this
link. OCIE classified its cybersecurity practices into seven
categories: governance and risk management, access rights and
controls, data loss prevention, mobile security, incident response
and resiliency, vendor management, and training and awareness.

On July 10, 2020, the SEC issued a risk alert on ransomware. See
Cybersecurity: Ransomware Alert, available at this link.
Ransomware is a type of malware which infiltrates a company's
electronic systems and denies the company access until it pays a
ransom. The alert identified techniques used by such hackers and
mitigation strategies that companies may take (including, among
others, training and awareness of the threat).

Cybersecurity Disclosures in the Risk Factors Section

Item 105 (17 C.F.R. § 229.105) of Regulation S-K requires a
description of material risks that impact a business; how these
risks affect the issuer's financial position, results of
operations, and future prospects; and how an investment in the
offered securities becomes speculative or riskier because of these
risks. For further information, see
Market Risk Factors, and
Risk Factor Drafting for a Registration Statement. The
disclosures should be in plain English and should not be generic.
For further information on plain English, see
Top 10 Practice Tips: Drafting a Registration Statement and
Glossaries in Prospectuses and Annual Reports-Background.

A majority of companies choose to disclose cybersecurity risks
in the Risk Factors section. The nature of the disclosures varies
by company, but companies that have a strong e-commerce presence or
that have experienced a security breach typically provide
disclosure with particularity. Companies that are subject to
industry regulations on cybersecurity, such as financial services
companies, may want to enhance their disclosures by discussing the
relevant regulatory developments on cybersecurity. When a
cybersecurity breach occurs, a company typically discloses such
incident, together with the remedial actions the company is
planning to undertake, estimated losses arising from the breach,
and whether there are litigation and regulatory actions or other
consequences associated with the cybersecurity breach. For a
further discussion on cybersecurity disclosure, see
Media & Entertainment Industry Guide for Capital Markets.
Set forth below are some examples of cybersecurity disclosures in
the Risk Factors section.

General Disclosure on Cybersecurity Risks

• "TEC is exposed to potential risks related to
  cyberattacks and unauthorized access, which could cause system
  failures, disrupt operations or adversely affect
  safety

  TEC increasingly relies on information technology systems and
  network infrastructure to manage its business and safely operate
  its assets, including controls for interconnected systems of
  generation, distribution and transmission and financial, billing
  and other business systems. TEC also relies on third party service
  providers to conduct business. As TEC operates critical
  infrastructure, it may be at greater risk of cyberattacks by third
  parties, which could include nation-state controlled parties.

To read the full article click
here

Originally Published by Practical Guidance

Visit us at
mayerbrown.com

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
"Mayer Brown Practices"). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. "Mayer Brown" and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

Comments are closed.