Broadening the Scope of Cyber Risk Disclosures

Lawyers from McDermott Will and Emery discuss in a blog post the evolution of cybersecurity guidance from the SEC and propose key risk disclosures for public companies. The lawyers note that cybersecurity risk factor disclosures are as of yet, under-developed for many registrants. They suggest a list comprising a “comprehensive model disclosure that reflects the broad scope and realities of digital and cybersecurity risk.” The suggested disclosures may be helpful for directors who may be discussing cybersecurity measures for 2021 with counsel, CCO and fund management. The lawyers believe disclosures should address at least the following areas:

• Possible harms to the business if electronic data is compromised.
• Potential liability resulting from defects or disruptions in services.
• Potential harm to firm’s competitive position or operations because of failure to keep pace with developments in technology.
• Reputational harm resulting from a cybersecurity breach.
• Obligations under privacy regulations from U.S. and other regulatory regimes.