• The SEC now expects public companies to report material cybersecurity incidents AND potential security risks in all necessary filings.

In February 2018, the US Securities and Exchange Commission (SEC) issued new guidance on cybersecurity. The SEC expects public companies to report material cybersecurity incidents AND potential security risks in all necessary filings.


“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

When a company has become aware of a cybersecurity incident or risk that would be material to its investors, the SEC expects the company to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.

What Do Companies Have To Disclose?

The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors, including the financial, legal, or reputational consequences. Companies are now expected to disclose such potential risks in the following sections of 10Q/10K/8K and different registration statements:

Risk Factors: Discloseprior cybersecurity incidents, including their severity and frequency. Companies should also include the probability of the occurrence and potential magnitude of future cybersecurity incidents. The SEC suggests to disclose the the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs.

MD&A of Financial Condition and Results of Operations: The cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents.

Legal Proceedings: Include litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents

Cybersecurity Takes Center Stage

Investors, law makers, business leaders and publicly traded companies are taking notice. Cybersecurity is the biggest risk to business. Headlines are appearing daily.

  • Warren Buffett said cybersecurity risk is an unchartered territory and warned that it’s a very material risk that didn’t exist 10 or 15 years ago.
  • In April 2019, Jamie Dimon said risk of cyber attacks “may be biggest threat to the US financial system”
  • In May 2018, Charles River Labs (NYSE:CRL), the world’s top R&D contractor, disclosed that a “highly sophisticated and well-resourced intruders” had stolen data from 1% of its clients.
  • In 2016, Senate proposed a new bill, the Cybersecurity Systems and Risks Reporting Act, which would have amended Sarbanes Oxley Act to include cybersecurity systems. This would have meant that companies would have to have proper standards and audits for both financial statements and information systems. Although the bill never got anywhere, it shows that cybersecurity is turning heads.

The headlines are endless.

The bottom line is this: Current solutions are inadequate at protecting against cyber threats. The business community is now realizing this and willing to take action against it. Those with innovative cybersecurity defenses stand to benefit the most. We at CyberQuay believe to be well positioned for this upcoming trend.