Bass, Berry & Sims attorneys Anthony (Tony) McFarland and Jay Knight lent their insights to an article in The Wall Street Journal on cybersecurity risk disclosures. As outlined in the article, while the U.S. Securities and Exchange Commission (SEC) has previously issued guidance on cybersecurity risk disclosure, many companies are uncertain on how to proceed when there is a question of what should be included on their 10-K statement. For example, what are the benefits of fuller disclosure and will disclosing more help the business if investigated for a data breach? Tony, chairman of the firm's Technology Committee, noted that companies should be prepared to make fuller disclosures, even on matters that are not necessarily mandated by state breach notification laws. "The SEC is becoming of the opinion that it is better to make disclosures if a company has had a number of incidents, even if they are not individually material, and even if that's not the perspective the company or its counsel would bring to the table in responding to a specific incident."
Jay, head of the firm's Capital Markets Subgroup and former SEC counsel, said that companies that have been subject to breaches are providing guidance for other companies, and that "best practices" for disclosure are based on industry. Tony added that this is a dynamic and fluid area, saying "This is an area where continual monitoring and diligence and being up to date is important, so you can make sure your own disclosures are accurate, up to date and within the range of other companies' disclosures in your industry."
The full article, "The Morning Risk Report: Cybersecurity Disclosures Are Risky Business," was published by The Wall Street Journal's "Morning Risk Report" on June 8, 2015 and is available online.
Content from The Wall Street Journal article was cited in the article, "SEC Suggests, But Doesn't Require, Full Disclosure of All Cybersecurity Risks," that was published by CFO.com on June 9, 2015.