Checklist
For Cybersecurity SEC Disclosures
Cybersecurity incident discovered
Follow disclosure controls and procedures to inform senior management
Material cybersecurity incident?
Immediate duty to disclose within 4 business days
Substantial likelihood that a reasonable investor would consider it important in making an investment decision?
Information about the incident would significantly alter the total mix of information available?
Unclear/still investigating?
Immaterial incident?
Defer disclosure until/ifmateriality established
No duty to disclose
DISCLOSURE CONTROLS AND PROCEDURES CHECKLIST
Existing policies and procedures to identify and investigate cybersecurity incidents?
Potentially material incidents referred to appropriate committees, including disclosure committee for further analysis?
Escalation of potentially material incidents to board of directors and senior management responsible for making disclosure decisions and certifications?
Are material cybersecurity incidents and risks disclosed to investors?
Review, and if necessary update, of existing disclosures if new facts render them incorrect or misleading?
MATERIALITY CHECKLIST
Was any information compromised?
Nature of compromised information?
Type & scope of harm?
Harm to customers?
Impact on company/customer operations?
Financial harm (increased costs, lost revenue, etc.)?
Duration of incident?
Reputational harm?
Exposure to potential legal claims/– government enforcement actions?
Incident at third-party that impacts company’s operations, financial condition, and/or customers?
Consistent with existing risk factor disclosures?
Type of threat actor?
Confidential law enforcement/government investigation?
HOW CAN WE HELP?
Executing cybersecurity disclosure controls and procedures best practices and complying with cybersecurity disclosure requirements can be daunting for even the most diligent of companies. Morrison Foerster is here to help you develop disclosure controls and procedures that are tailored to your organization and to navigate the facts and circumstances of a materiality analysis.
We offer a multidisciplinary approach involving our highly respected global Privacy + Data Security Group, Securities Litigation, Securities Enforcement, and Investigations + White Collar Defense Group, and Corporate Governance Group, all of which include well-respected alumni of the Securities and Exchange Commission and the U.S. Department of Justice.
MIRIAM WUGMEISTERmwugmeister@mofo.com(212) 506-7213
JACKIE LIUjliu@mofo.com(415) 268-6722
SCOTT LESMESslesmes@mofo.com(202) 887-1585
HAIMA MARLIERhmarlier@mofo.com(212) 336-4409