Back to the Library
In only the second topic published by the SEC’s Division of Corporation Finance as “CF Disclosure Guidance: Topic 2,” the Division provided guidance on the topic of disclosure obligations relating to cybersecurity risks and incidents (“Guidance”). Published on October 13, 2011, the Guidance follows an explosion of high profile cyber attacks at major corporations this year. In the much publicized attack on Sony in April, hackers stole the personal information of millions of registered users of Sony’s PlayStation Network; in March, EMC Corporation’s data security unit RSA, suffered a massive breach that resulted in the theft of data related to its SecurID tokens used by millions of private and government employees; and, in April several large financial institutions, including Citigroup and JP Morgan Chase, faced breaches of personal customer information when hackers penetrated a firm that handled their email communications as well as those of some of the largest companies in the United States.
Although there are no existing disclosure requirements that explicitly refer to cybersecurity risks and cyber incidents, the Guidance advises companies to consider whether the existing disclosure requirements in SEC filings, impose a disclose obligation.