Earlier this month, fitness-tracking company Fitbit, Inc. filed a Form S-1 Registration Statement for an IPO of up to $100 million that exhaustively disclosed potential cybersecurity risks with respect to the personal data the company collects. As businesses collect and process voluminous amounts of consumer data, and as data breaches become more widespread, registration statement disclosures discussing cyber risk have garnered much attention. It is critical for companies to both analyze their cyber risks before going public and to provide relevant disclosures on an ongoing basis for investors to consider.
According to SEC guidance, public companies must disclose cybersecurity risks and incidents that could have a material impact on profitability. Clear and relevant cyber risk disclosures may be critical in preventing or mitigating future scrutiny from regulators and shareholders. In addition to SEC scrutiny of cyber risks, shareholders in class actions suits may claim to have been harmed by a breach resulting from an undisclosed risk factor. In its S-1, Fitbit disclosed cybersecurity risk factors, such as vulnerabilities created by its regulatory requirements and other legal privacy requirements, the volume and sensitivity of the information collected, and its third-party vendors. Although the Fitbit disclosures broadly cover risks, their S-1 may lack important specifics, such as its third-party vendor utilization and processes. Best practices dictate that companies filing for IPOs thoroughly consider their cyber risk profile to avoid future risk and potentiality liability in the future. Companies have an ongoing obligation to keep such information up to date in the event of newly discovered cyber risks or significant breach incidents.