Companies have struggled with how and what to disclose and how to account for their real and potential cyber exposures. With little uniformity and much confusion, recent guidance for public companies from the U.S. Securities and Exchange Commission (SEC) is welcome.
However, the content of that guidance, and the extensive specific information detailed, will be considered controversial by many, not least as it applies to both pre-attack exposure measurements and post-attack accounting. Coming from the department within the SEC that reviews and approves public company annual reports, the “guidance” may be viewed as more of a requirement than a gentle suggestion.
With annual report season almost upon us for many public companies, the time to review, assess and respond to the new guidance is: now!
Our four-page ER Alert discusses the implications in greater detail.