Recent, high-profile cyber attacks and cybersecurity lapses have resulted in a serious focus on cybersecurity from the Obama administration, the Senate and the SEC. In the past year, there were reports of cyber thieves hacking corporate networks to steal customer data from financial services firms and retailers, intellectual property from life sciences, technology and industrial companies and information regarding the location of major oil reserve from multinational oil companies. This proliferation of cyber attacks led to five U.S. senators writing to SEC Chairwoman Mary Schapiro asking the SEC to develop and publish interpretive guidance on the disclosure of cybersecurity risks by public companies. The SEC’s Division of Corporation Finance staff did so in October 2011 (www.sec.gov/divisions/corpfin/guidance/cfguidancetopic2. htm).

Corp Fin’s guidance is not a new disclosure rule, nor does it give the SEC specific authority to regulate a company’s cybersecurity policy. Rather, the guidance is a clarification of existing disclosure obligations; and with 10-Ks due soon for a number of public companies, now is the time to understand and consider the disclosure impact of this guidance....