SEC Remains Concerned About Cybersecurity Disclosures, Official Says

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Yin Wilczek

Feb. 23 — The Securities and Exchange Commission remains concerned about—and focused on—corporate disclosures related to cybersecurity, a senior official said Feb. 21.

In an era of more and more frequent cyber events, Karen Garnett, associate director of disclosure operations at the SEC's Division of Corporation Finance, urged companies that have experienced a breach to carefully evaluate the materiality of the incidents to see if they warrant disclosures to the SEC and investors.

While the staff understands that not every breach is material, cybersecurity increasingly is an issue for companies, Garnett said.

Garnett spoke at a Corp. Fin. panel at the Practising Law Institute's “SEC Speaks” event in Washington. The SEC officials said they voiced their own views, which did not necessarily reflect those of the commission or other staff members.

Recent Hacks 

Recent major cyber events include breaches at Sony Corp. and Anthem. Sony's breach was estimated by commentators to have cost the company as much as $100 million in terms of lost productivity and to replace hardware, among other actions.

The SEC, in addition to its disclosure concerns, also is scrutinizing companies that have experienced a cyber breach to determine whether this may signal a material weakness in their internal controls over financial reporting.

Segment Reporting

In other comments, Garnett said that segment reporting remains a disclosure hot topic for the SEC. The staff continues to issue comments with respect to segment disclosures, she said. Garnett added that if a company appears to have several distinct lines of business but only discloses one segment, the staff “will ask why.”

Moreover, the staff is tracking industry events in its review, and issuers should carefully evaluate whether such events affect their disclosures, Garnett said. For example, she cited

Disclosure Effectiveness 

Meanwhile, Garnett said Corp. Fin.'s review of the effectiveness of the SEC disclosure regime is ongoing. The three general areas of staff focus are:

• Regulation S-K

• Regulation S-X; and

• how corporate disclosures are provided and presented in the SEC's EDGAR system.

 

Garnett noted that the staff will be including Forms 8-K in the disclosure review. As for the EDGAR system review, the staff is considering some “incremental changes” in how EDGAR filings are presented on the SEC's website, she said.

For example, the staff is looking at how search results or search options may appear to investors, she said. In addition, the staff is considering ways in which exhibit information may be presented in a more manageable way.

Garnett also noted that any changes to EDGAR likely will not happen overnight. “This is not something we expect to happen very quickly,” she said.

To contact the reporter on this story: Yin Wilczek in Washington at ywilczek@bna.com

To contact the editor responsible for this story: Kristyn Hyland at khyland@bna.com