The Securities and Exchange Commission’s latest burst of staff guidance—again delivered in the agency’s new, non-binding format of “CF Disclosure”—takes aim at the tricky realm of disclosing cyber-security risks.
The seven-page document, published by staff in the Division of Corporation Finance (hence the “CF”) outlines items companies should consider when identifying specific business risks caused by cyber-security incidents. Among them: how those costs might affect the balance sheet; the correlation of those risks to the company’s business model; possible legal proceedings; and how to make appropriate financial statement disclosure to reflect the effect of a cyber-attack.
