Pryor Cashman offers succinct and sound guidelines to inform companies' cyber breach disclosure evaluation and approach in this Directors & Boards article: "SEC Disclosure Requirements for Cybersecurity Breaches Are Murky." Disclosure considerations include: (i) the materiality of the breach, (ii) prompt - but not premature - disclosure, (iii) reviewing prior disclosures for potential updates, (iv) regulatory notifications, cooperation, and coordination, and (v) proactive risk disclosure going forward.
This synopsis of factors to consider in making materiality judgments is particularly instructive for those tasked with communicating to - and eliciting from - others internally the relevant information necessary to make a disclosure determination:
- Importance of the compromised data or information to the company
- Nature, extent and potential magnitude of any compromised information
- Likely impact of the incident on company operations
- Range of harm (e.g. financial, legal, reputational, relational) that the incident could cause
- Possibility of regulatory action (e.g. by the FTC, HHS, FCC, SEC, state AGs or foreign governments) or litigation
See also "12 tips for effectively presenting cybersecurity to the board" (CSO Online); these recent reports: "Reminder: SEC Focused on Cyber, Brexit, LIBOR-Related Disclosure" and "SEC Looking for Better Brexit/Cyber/Libor-Related Risk Disclosure"; and additional information & resources on our Cybersecurity/Data Privacy and Financial Reporting pages.
This post first appeared in the weekly Society Alert!