MCLE Self-Study Article: Cybersecurity — A Top of Mind Issue That Companies Must Consider
By Andrew Serwin, Esq.
Cybersecurity for any business, including a law firm is a critical issue for a variety of reasons. And for companies who you may represent, there is increasing focus by the SEC on this issue. The Division of Corporate Finance released guidance on cybersecurity and the potential reporting implications of cyber incidents.1 Noting the increasing role of digital technologies, the Division noted that the risks associated with cybersecurity have also increased. These risks include DDOS attacks, theft of intellectual property, economic espionage, the disruption of business operations, and other concerns. These risks can result in exorbitant costs and other negative consequences for your firm and your clients, including:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting client, customer or investor confidence.
In light of these risks, the Division of Corporate Finance recommended certain cybersecurity disclosures for companies that are subject to its regulatory sweep, though it noted that there are no express cybersecurity disclosure requirements currently in place. One of the issues that the Division identified was disclosures for cyber issues under the risk factor disclosure. Consistent with the requirements of S-K Item 503(c), the Division believed that cybersecurity disclosures could be appropriate if there were material risks to the company, and the disclosure should include: