Although no existing disclosure requirement explicitly refers to cybersecurityrisks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurityrisks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurityrisks and cyber incidents.
Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurityrisks and the potential costs and consequences;
To the extent the registrant outsources functions that have material cybersecurityrisks, description of those functions and how the registrant addresses those risks;
Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;