In the context of increasing SEC scrutiny (see in Cybersecurity: "SEC Edgar Breach Spotlights Issuer Cyber Disclosure Practices") and impending updated guidance (see in Leg & Reg: "Updated Cyber Disclosure Guidance Forthcoming") concerning issuers' cybersecurity disclosures, EY's new "Spotlight on cybersecurity disclosures" offers welcome guidance to companies about the "where, what and how" to disclose cyber risks, incidents, and other related matters, together with illustrative examples from company filings and a suggested "model" disclosure based on SEC Chair Clayton's recent Statement on Cybersecurity (see also Chair Clayton's update here).
The helpful illustrative examples are taken from actual company disclosures, and cover these scenarios:
- Risk Factor Disclosure
- Detailed disclosure of risks associated with personal information
- Disclosure that highlights employee training
- Disclosure of ‘regular’ attacks
- Disclosure about risks related to suppliers
- Disclosure of more detail after a cyber attack
- MD&A
- Disclosure of disruption of operations
- Disclosure about costs incurred and how a cyber incident affected the business
- Financial Statement Implications
- Disclosure about costs incurred, insurance proceeds, and potential losses resulting from claims
The publication also touches on DC&P-related disclosures; i.e., suggested disclosure considerations in the event of a cyber incident-triggered concern about DC&P effectiveness.
|
If and when the SEC issues updated guidance, we will address accordingly.
This post first appeared in last week's Society Alert! Please also see our numerous cyber disclosure and other resources here.
|