United States: Market Trends 2017/18: Cybersecurity Related Disclosures

Last Updated: September 17 2018
Article by Mingli Wu and Hanwen Zhang

On February 21, 2018, nearly seven years after the original issuance of guidance relating to disclosure of cybersecurity risks and cyber incidents, the Securities and Exchange Commission (SEC) released a statement and interpretive guidance regarding disclosures on cybersecurity risks and incidents (2018 guidance). The 2018 guidance reinforces and expands the SEC's prior guidance regarding cybersecurity disclosures. It is likely that the SEC's recent guidance reflects an increased interest, both from a disclosure perspective, as well as from an enforcement perspective, on the responses of public companies to cybersecurity risks and incidents. This market trends article identifies some representative cybersecurity disclosures and concludes with recommendations for enhancing cybersecurity-related disclosures moving forward. The company name, its industry, and the type of filing accompany each sample disclosure for reference.

The 2018 guidance reminds public companies of their obligation to disclose cybersecurity risks and cyber incidents to the extent that these are material. In evaluating whether cybersecurity risks or incidents are material, a public company should consider, among other things, the nature and magnitude of cybersecurity risks or prior incidents; the actual or potential harms to the company's reputation, financial condition, or business operation; the legal and regulatory requirements to which the company is subject; the costs associated with cybersecurity protection, including preventative measures and insurance; and the costs associated with cybersecurity incidents, including remedial measures, investigations, responding to regulatory actions, and addressing litigation.

Once cybersecurity risks and incidents are determined to be material, a public company should provide complete and accurate information in its periodic reports regarding these risks and incidents.

Public companies generally include cybersecurity related disclosures in the following sections of their offering materials and periodic reports: Risk Factors, Business, and Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A). To date, most of the disclosures related to cybersecurity risks and incidents tend to be quite general in nature. On the other hand, there are a growing number of companies that provide disclosures that are more comprehensive and particularized, with discussions about the potential reputational, financial, or operational harm resulting from cybersecurity breaches, the potential associated litigation or regulatory costs, and their policies and procedures addressing cybersecurity incidents.

For further information on public company disclosure in general, see Publ c Company Periodic Reporting and Disclosure Obligations and Periodic and Current Reporting Resource Kit.

Risk Factor Disclosures

Item 503(c) (17 C.F.R. § 229.503) of Regulation S-K requires that a company describe the material risks that impact the company's business, results of operations, and future prospects, as well as material risks that make an investment in the offered securities speculative or risky, in the case of an offering document. For further information, see Market Trends 2016/17: Risk Factors, Top 10 Practice Tips: Risk Factors, and Risk Factor Drafting for a Registration Statement. The disclosures should be in plain English and should not be generic. For further information on plain English, see Top 10 Practice Tips: Drafting a Registration Statement and Glossaries in Prospectuses and Annual Reports — Background. A majority of companies choose to disclose cybersecurity risks in the Risk Factor section. The nature of the disclosures varies by company, but companies that have a strong e-commerce presence or that that have experienced a security breach typically provide disclosure with particularity. When cybersecurity incidents become known, companies typically disclose the incidents together with remedial actions, estimated losses, and other consequences, such as litigation and regulatory action associated with the incidents. For a further discussion on cybersecurity disclosure, see Media & Entertainment Industry Practice Guide — Regulatory Trends—Cybersecurity risks. Set forth below are some examples of cybersecurity disclosures in the Risk Factor section:

General Disclosure on cybersecurity Risks

  • "Our business is subject to online security risks, including security breaches and cyberattacks.

    Our businesses involve the storage and transmission of users' personal financial information... The techniques used to obtain unauthorized access, disable, or degrade service, or sabotage systems, change frequently, may be difficult to detect for a long time, and often are not recognized until launched against a target. Certain efforts may be state sponsored and supported by significant financial and technological resources and therefore may be even more difficult to detect. As a result, we may be unable to anticipate these techniques or to implement adequate preventative measures. Unauthorized parties may also attempt to gain access to our systems or facilities through various means, including hacking into our systems or facilities, fraud, trickery or other means of deceiving our employees, contractors and temporary staff. A party that is able to circumvent our security measures could misappropriate our or our users' personal information, cause interruption or degradations in our operations, damage our computers or those of our users, or otherwise damage our reputation... Our information technology and infrastructure may be vulnerable to cyberattacks or security incidents and third parties may be able to access our users' proprietary information and payment card data that are stored on or accessible through our systems. Any security breach at a company providing services to us or our users could have similar effects...

    We may also need to expend significant additional resources to protect against security breaches or to redress problems caused by breaches. These issues are likely to become more difficult and costly as we expand the number of markets where we operate. Additionally, our insurance policies carry low coverage limits, which may not be adequate to reimburse us for losses caused by security breaches and we may not be able to fully collect, if at all, under these insurance policies." eBay Inc., Form 10-Q filed April 26, 2018 (SIC 7389—Services—Business Services)
  • "Risks Related to Cybersecurity.

    Increased reliance on technology by both the Fund and its service providers have resulted in increased risks posed to their respective information systems. The Fund and its service providers are susceptible to cyber-security risks including, among other things, theft, unauthorized monitoring, release, misuse, loss, destruction or corruption of confidential and highly restricted data; denial of service attacks; unauthorized access to relevant systems; compromises to networks or devices that the Fund and its service providers use to service the Fund's operations; or operational disruption or failures in the physical infrastructure or operating systems that support the Fund and its service providers. Cyber-attacks against or security breakdowns of the Fund or its service providers may adversely impact the Fund and its shareholders, potentially resulting in, among other things, financial losses; the inability of Fund shareholders to transact business and the Fund to process transactions; inability to calculate a Portfolio's NAV; violations of applicable privacy and other laws; regulatory fines, penalties, reputational damage, reimbursement or other compensation costs; and/or additional compliance costs. The Fund may incur additional costs for cyber security risk management and remediation purposes. In addition, cyber security risks may also impact issuers of securities in which a Portfolio invests, which may cause a Portfolio's investment in such issuers to lose value. There can be no assurance that the Fund or its service providers will not suffer losses relating to cyber-attacks or other information security breaches in the future." Venture Lending & Leasing IX, Inc., Form 10-K filed March 16, 2018
  • "Our business depends on the Internet, our infrastructure and transaction-processing systems.

    We are completely dependent on our infrastructure and on the availability, reliability and security of the Internet and related systems. Substantially all of our computer and communications hardware is located at a single Overstock-owned and -operated facility . . . . Our back-up facility is not adequate to support sales at a high level. Our servers and applications are vulnerable to malware, physical or electronic break-ins and other disruptions, the occurrence of any of which could lead to interruptions, delays, loss of critical data or the inability to accept and fulfill customer orders. Any system interruption that results in the unavailability of our Website or our mobile app or reduced performance of our transaction systems could interrupt or substantially reduce our ability to conduct our business. We have experienced periodic systems interruptions due to... intentional cyber-attacks in the past, and may experience additional interruptions or failures in the future. Any failure or impairment of our infrastructure or of the availability of the Internet or related systems could have a material adverse effect on our financial results and business." Overstock.com, Inc, Form 10-K filed March 15, 2018 (SIC 5961—Retail—Catalog & Mail-Order Houses)
  • "Operational risks, including cybersecurity risks, may disrupt our businesses, result in losses or limit our growth.

    In addition, our systems face ongoing cybersecurity threats and attacks. Attacks on our systems could involve, and in some instances have in the past involved, attempts intended to obtain unauthorized access to our proprietary information, destroy data or disable, degrade or sabotage our systems, including through the introduction of computer viruses. Cyberattacks and other security threats could originate from a wide variety of sources, including cyber criminals, nation state hackers, hacktivists and other outside parties. There has been an increase in the frequency and sophistication of the cyber and security threats we face, with attacks ranging from those common to businesses generally to those that are more advanced and persistent, which may target us because, as an alternative asset management firm, we hold a significant amount of confidential and sensitive information about our investors, our portfolio companies and potential investments. As a result, we may face a heightened risk of a security breach or disruption with respect to this information. If successful, these types of attacks on our network or other systems could have a material adverse effect on our business and results of operations, due to, among other things, the loss of investor or proprietary data, interruptions or delays in our business and damage to our reputation. There can be no assurance that measures we take to ensure the integrity of our systems will provide protection, especially because cyberattack techniques used change frequently or are not recognized until successful. If our systems are compromised, do not operate properly or are disabled, or we fail to provide the appropriate regulatory or other notifications in a timely manner, we could suffer financial loss, a disruption of our businesses, liability to our investment funds and fund investors, regulatory intervention or reputational damage.

    In addition, we operate in businesses that are highly dependent on information systems and technology. The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. In addition, cybersecurity has become a top priority for regulators around the world. Many jurisdictions in which we operate have laws and regulations relating to data privacy, cybersecurity and protection of personal information, including the General Data Protection Regulation in the European Union that goes into effect in May 2018. Some jurisdictions have also enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data. Breaches in security could potentially jeopardize our, our employees' or our fund investors' or counterparties' confidential and other information processed and stored in, and transmitted through, our computer systems and networks, or otherwise cause interruptions or malfunctions in our, our employees', our fund investors', our counterparties' or third parties' operations, which could result in significant losses, increased costs, disruption of our business, liability to our fund investors and other counterparties, regulatory intervention or reputational damage. Furthermore, if we fail to comply with the relevant laws and regulations, it could result in regulatory investigations and penalties, which could lead to negative publicity and may cause our fund investors and clients to lose confidence in the effectiveness of our security measures." Blackstone Group L.P., 10-K filed March 1, 2018 (SIC 6282—Investment Advice)
  • "Our operations may be adversely affected by cybersecurity risks.

    We are subject to cybersecurity risks including unauthorized access to privileged information, technological assaults on our infrastructure aimed at stealing information, fraud or interference with regular service and interruption of our services to clients or users resulting from the exploitation of these vulnerabilities. Cyber-attacks, distributed denial of service attacks and other cybersecurity matters, if successful, could have an adverse effect on our business, financial condition or results of operations.

    Two of the most significant cyber-attack risks that we face are e-fraud and loss of sensitive customer data. Loss from e-fraud occurs when cyber-criminals extract funds directly from clients' or our accounts using fraudulent schemes that may include Internet-based funds transfers. Such attacks are infrequent, but could present significant reputational, legal and regulatory costs to us if successful. We also face risks related to cyber-attacks and other security breaches in connection with credit card transactions that typically involve the transmission of sensitive information regarding our clients through various third parties, including merchant acquiring banks, payment processors, payment card networks, our processors and clearing banks. Some of these parties have in the past been the target of security breaches and cyber-attacks, and because the transactions involve third parties and environments such as the point of sale that we do not control or secure, future security breaches or cyber-attacks affecting any of these third parties could impact us through no fault of our own, and in some cases we may have exposure and suffer losses for breaches or attacks relating to them. Additionally, we face the risk that a party with which we or our clients do business, such as credit rating agencies, could suffer a cyber-attack. If such a cyber-attack occurs, we could be indirectly impacted in a variety of ways, such as our clients' personal data is compromised or consumer confidence is undermined.

    We cannot assure you that we will not experience a material cyber-attack, suffer indirect consequences from a cyber-attack on a third party, or fail to anticipate, identify or offset such threats of potential cyber- attacks or breaches of our security in a timely manner. If such an event occurs, our financial condition and results of operations could be materially and adversely affected." FirstCaribbean International Bank Ltd., Form F-1 filed March 23, 2018 (SIC 6029—Commercial Banks)
  • "We are subject to cyber security risks and may incur increasing costs in an effort to minimize those risks.

    [...] Although we take steps to secure our management information systems, and although multiple auditors review and approve the security configurations and management processes of these systems, including our computer systems, intranet and internet sites, email and other telecommunications and data networks, the security measures we have implemented may not be effective, and our systems may be vulnerable to theft, loss, damage and interruption from a number of potential sources and events, including unauthorized access or security breaches, natural or man-made disasters, cyberattacks, computer viruses, power loss, or other disruptive events. We may not have the resources or technical sophistication to anticipate or prevent rapidly evolving types of cyberattacks. Attacks may be targeted at us, our customers and suppliers, or others who have entrusted us with information. In addition, attacks not targeted at us, but targeted solely at suppliers, may cause disruption to our computer systems or a breach of the data that we maintain on customers, employees, suppliers and others.

    Actual or anticipated attacks may cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants, or costs incurred in connection with the notifications to employees, suppliers or the general public as part of our notification obligations to the various governments that govern our business. Advances in computer capabilities, new technological discoveries, or other developments may result in the breach or compromise of technology used by us to protect transaction or other data. In addition, data and security breaches can also occur as a result of non-technical issues, including breaches by us or by persons with whom we have commercial relationships that result in the unauthorized release of personal or confidential information. Our reputation, brand and financial condition could be adversely affected if, as a result of a significant cyber event or other security issues: our operations are disrupted or shut down; our confidential, proprietary information is stolen or disclosed; we incur costs or are required to pay fines in connection with stolen customer, employee or other confidential information; we must dedicate significant resources to system repairs or increase cyber security protection; or we otherwise incur significant litigation or other costs." Spirit Airlines, Inc., Form 424B2 filed November 14, 2017 (SIC 4512—Air Transportation, Scheduled)

To view the full article, please click here

Originally published in LexisNexis

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions