Here is the Cybersecurity disclosure guidance being provided by the Division of Corporate Finance of the Securities and Exchange Commission.
The good part is they don’t require disclosure that could act as a “roadmap” to infiltrate the registrant’s network security. And, in case you didn’t know your loss exposure, they provided a non-exhaustive list including, 1) repair and remediation costs, 2) incentives to repair relationships with customer or other business partners, 3) increased security protection and training, 4) lost revenue directly from downtime, and lost customers/prospects, 5) liability and other litigation costs, 6) reputational damage with customers and investors, and, 7) financial statement hits (warranty liability, product returns, capitalization of software costs, inventory write-downs.)
As for actual disclosure, the guidance points to specific forms (Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents – see Item 5(a) of Form F-3 and Item 11(a) of Form S-3) and they remind registrants of the materiality clauses (Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9) and the “substantial likelihood that a reasonable investor (note, not reasonable tech geek) would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”
The “materiality” issue is still developing in Canada, and (no surprise) there are conflicting decisions and hotly debated arguments. Here is a recent Ontario Securities Commission case that draws some light on the subject (and here is an older one.)
Issuers do not have present risks “that could apply to any issuer or any offering.”
The key concern is that disclosure decisions must consider “risk” not just loss or actual incidents or threatened attacks. However, as will all disclosure advice, “boilerplate” language will be looked on unfavourably. Registrants need to evaluate their cybersecurity risk considering prior incidents, potential for reoccurrence, experience of competitors and other industry participants, magnitude of potential loss, and adequacy of loss control activities.
A further disclosure requirement is discussion regarding the effectiveness of policies, procedures and controls surrounding cyber incidents and the disclosure process itself.
Cyber Risk is a very new and developing field. Therefore, available guidance is not very specific. This risk will have to be treated like every other business risk. There are good insurance companies and good insurance products available to accept risk transfer of some, but not all, potential cyber losses. But, like every other specialty line of insurance, there is no standard or regulated policy wording or premium calculation. And, to make things more challenging, cybersecurity insurance policies can be of a rare breed of hybrid “first party” and “third party” coverage, with potential for “claims-made” and “occurrence” responses.
Greg Shields is a D&O, Professional Liability, CyberRisk, Employment Practices Liability, Fiduciary Liability, Crime insurance specialist and a Partner at the University and Dundas (Toronto) branch of Mitchell Sandham Insurance Services. He can be reached at firstname.lastname@example.org, 416-862-5626, or Skype at risk.first.
CAUTION: This article does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered and truly independent insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All material is copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this document from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to email@example.com.