Recent SEC Guidance on Cybersecurity Disclosure Obligations
Considering potential environmental impacts and insurance coverage issues
In response to stakeholder petitions and Congressional requests seeking improvements in corporate risk disclosures, the Securities and Exchange Commission (SEC) has been active in issuing guidance to enhance disclosure obligations. The SEC has entered into new areas with the issuance of its Climate Change Disclosure Guidance in 2010 and the more recent proposals drafted in conjunction with the Dodd-Frank Act that would require disclosure of certain health and safety compliance violations. Inadequate disclosures of environmental, health, and safety and “sustainability” risks have been used as examples by investors in complaints to the SEC as they are perceived to be a tangible reflection of company management; mis-management results in direct impact not only to investors but also to the public at large.
The SEC’s Division of Corporate Finance (Division) recently issued guidance that responds to concerns regarding how organizations are getting ahead of the evolving technology and these threats. The guidance draws upon existing disclosure obligations for support. Accordingly, this latest development is a continuation of the recent evolution of disclosure requirements designed to encourage companies to address their vulnerability and readiness to respond to business risks that are increasingly difficult to anticipate and manage given trends in globalization, technological innovation, and stakeholder expectations for performance.
This article by Kathryn D. Pavlovsky, Principal, Deloitte Financial Advisory Services LLP, and Vincent E. Morgan, Partner, Pillsbury Winthrop Shaw Pittman LLP addresses three topics. It begins with a brief discussion of the recent guidance. Next, it offers recommendations to companies on how to incorporate this guidance into their disclosure controls and procedures by exploring examples of cybersecurity risks through the lens of potential environmental incidents. Finally, it uses that framework to analyze the implications of the Division’s reference to insurance as an appropriate subject of disclosure concerning cybersecurity risks.
The article was originally published by Bloomberg Finance L.P. in the Vol. 6 No. 1 edition of the Bloomberg Law Reports—Commercial Insurance.