Staff at the Securities and Exchange Commission's Corporate Finance Division issued some non-binding guidance on how companies should disclose their responsibilities when dealing with cyber-security risks and breach of data incidents.
In its latest CF Disclosure Guidance Topic No. 2, released on Oct. 13, staff at the Corporate Finance Division (Corp Fin) outlined companies' disclosure obligations in the event that they experience or may potentially be affected by breach of data incidents.
Specifically, Corp Fin wants companies to disclose types of risks, an explanation of how the security breach will affect business, the effect of a data breach (before, during, and after) on the company's financial performance, and a discussion of the adequacy of the company's internal controls and procedures.
Companies are also required to sum up their own conclusions on the effectiveness of their internal cyber-security controls. The guidance says that if information could not be recorded properly due to a cyber incident that affected a registrant's information system, the registrant can conclude that the disclosure procedures are ineffective.
The guidance is the second in the series of Corp Fin's staff disclosure topics. The first issue addressed the requirement of companies' Form-8K reverse merger transaction filings. The staff reiterated that the guidance represents the views of Corp Fin and is not a rule. The Commission has neither approved nor disapproved its content.