The White House
Office of the Press Secretary
December 07, 2011

Fact Sheet: U.S.-Canada Beyond the Border and Regulatory Cooperation Council Initiatives

Today, the United States and Canada enjoy the largest bilateral trade and investment relationship in the world. Total trade and investment between the United States and Canada topped $1.1 trillion in 2010, and those numbers are growing.

The United States and Canada are each other’s largest export market, with roughly 20 percent of all U.S. goods exports destined to Canada. U.S. exports to Canada already support 1.7 million jobs, and in 2010 U.S. exports to Canada grew more than U.S. exports to the rest of the world. Canada is the top export destination for 36 U.S. states.

We share common infrastructure, including bridges, tunnels, pipelines, and electricity grids, and our supply chains are integrally linked, with a single good often crossing the shared border multiple times during its production cycle.

Recognizing these dynamics, on February 4, 2011, President Barack Obama and Prime Minister Stephen Harper announced two initiatives to ensure that the vital economic partnership that joins our two countries continues to be the cornerstone of our economic competitiveness and security as we together face the challenges of the 21st century.

Since the Leaders’ announcement, representatives from across the United States Government have worked with their Canadian counterparts to formulate the Beyond the Border (BTB) Action Plan and the Regulatory Cooperation Council (RCC) Action Plan being unveiled today.

Together, these initiatives build on our well-established bilateral cooperation on trade, investment, emergency preparedness, security, and defense. BTB and RCC are complementary and promote transparency, efficiency, and the free and secure flow of people and trade across our borders while maintaining and expanding our already robust relationships that keep people, goods, and services safe and secure.

Beyond the Border

The BTB Action Plan sets out joint priorities for achieving a new long-term security partnership in four key areas, guided by mutual respect for sovereignty and our separate constitutional and legal frameworks that protect individual privacy:

• addressing threats early;
• promoting trade facilitation, economic growth, and jobs;
• strengthening cross-border law enforcement; and
• protecting shared critical infrastructure, including enhancing continental and global cybersecurity.

The BTB Executive Steering Committee (ESC) will hold annual meetings to advance shared border management efforts and identify areas for further progress. To ensure continued transparency and accountability, the BTB ESC will generate a joint, public “Beyond the Border Implementation Report” to summarize BTB cooperation annually. Implementation of the BTB Action Plan will be carried out in close consultation with the wide array of interested stakeholders through appropriate lead agencies and will be subject to normal regulatory, legislative, and appropriations processes.

Through implementation of the BTB Action Plan, the United States and Canada will address threats at the earliest possible point by enhancing our common understanding of the shared threat environment through joint, integrated threat assessments, and by improving our intelligence and national security information sharing. We will enhance domain awareness in air, maritime, and land environments, cooperate to counter violent extremism, and develop harmonized commercial passenger and cargo screening processes that will expedite the secure passage of people and goods. We will conduct joint assessments of plant, animal, and food systems in third countries to keep our food supplies safe.

Additionally, the United States and Canada will enhance our trusted traveler and trader programs by aligning requirements, enhancing member benefits, and providing applicants with the opportunity to submit one application to be enrolled in multiple programs. We will strive to facilitate business travel across our border, provide a single “window” for importers to submit information needed to comply with customs and other regulations, promote supply chain connectivity by harmonizing low-value shipment processes, and increase public transparency regarding application of border fees, with a view to providing greater accountability for costs to businesses and promoting trade competitiveness.

To keep the flow of goods and people moving smoothly, we will enhance and expand the work of the twenty land border Binational Port Operations Committees established in 2011, coordinate our border infrastructure investment at key border crossings and at small and remote ports of entry to, where possible, align hours of operation and co-manage facilities.

Building on existing cross-border law enforcement frameworks, we will implement a “Next Generation” pilot project to cooperate on national security and transnational criminal investigations and provide law enforcement radio interoperability.

Finally, under the BTB Action Plan the United States and Canada will develop and enhance cross-border critical infrastructure and resilience, protect vital government and critical digital infrastructure of binational importance, and make cyberspace safer for all our citizens, while expanding our joint leadership on international cybersecurity efforts. We also intend to mitigate the impact of binational disasters on communities by establishing procedures to manage land and maritime traffic in the event of a border area emergency, and enhance our collective preparedness for security threats of all types -- health, chemical, biological, radiological, nuclear, and explosive.

Regulatory Cooperation

The February Statement on Regulatory Cooperation recognized the critical importance of our $1 trillion annual bilateral trade and investment relationship and established the RCC with a two-year mandate to promote economic growth, job creation, and benefits to our consumers and businesses through increased regulatory transparency and coordination. The United States and Canada intend to eliminate unnecessary burdens on cross-border trade, reduce costs, foster cross-border investment, and promote certainty for the general public and businesses, particularly small- and medium-sized enterprises operating near the border, by coordinating, simplifying, and ensuring where possible the compatibility of regulations.

In March, a Federal Register Notice requested that the public submit ideas for suggested changes to existing regulations that would ease the transport and sale of goods and services on the other side of the border. Given the integrated nature of our economies, greater alignment and better mutual reliance on our regulatory approaches will lead to lower costs for consumers and businesses, create more efficient supply chains, increase trade and investment, generate new export opportunities, and create jobs on both sides of the border. Building on the numerous comments received from the public, we have agreed to focus our initial work on:

• agriculture and food;
• transportation;
• health, personal care products, and workplace chemicals; and
• the environment.

As we implement the Action Plans for BTB and RCC, U.S. and Canadian departments and agencies will continue to incorporate public feedback they receive through traditional mechanisms such as Federal Register Notices, websites, public meetings, and other public engagement.

For more than forty years, the increasing integration of the economies of the United States and Canada has been the key to our two countries’ prosperity and security. With these initiatives, we intend to work together to reduce and eliminate barriers to trade and investment, securing our shared competitiveness for the 21st century.

Mark your calendar for SANS Cyber Defense Initiative (CDI) 2011, December 9 - 16 in Washington DC. Knowledge is power, especially when the knowledge is about the latest attacks and what to do about them. Now is the time to be sure you know how the newest attacks work and what can and cannot be done to stop them or mitigate the damage. Now is the time to be sure that your tools are up to the task of finding, blocking, and deciphering hacking attacks. Now is the time to take the training you need. SANS is the one education organization known for developing those security skills now most in need. Every course, evening talk, and special event being offered at SANS CDI 2011 is geared to keep you on the cutting edge and to ensure that you have the knowledge and power required to fight against the actions of today's cyber criminals.

SANS CDI 2011 offers a unique chance to learn from the best teachers in security. You'll get the kind of hands-on, immersion training that you can put to work immediately.

See: http://www.sans.org/cyber-defense-initiative-2011/

10/19/11) The DSS Counterintelligence Directorate has released the unclassified publication, "Targeting U.S. Technologies: A Trend Analysis Reporting from Defense Industry." This report analyzes suspicious contact reports received from defense industry in fiscal year 2010. It is available online at http://www.dss.mil/counterintel/2011-unclassified-trends.pdf

DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 24 and 52
[FAR Case 2010–013; Docket 2010–0013;
Sequence 1]
RIN 9000–AM02
Federal Acquisition Regulation;
Privacy Training, 2010–013

AGENCY: Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information.

DATES: Interested parties should submit written comments to the Regulatory Secretariat at one of the addresses shown below on or before December 13, 2011 to be considered in the formation of the final rule.

ADDRESSES: Submit comments in
response to FAR case 2010–013 by any
of the following methods:

• Regulations.gov: http://www.regulations.gov.
Submit comments via the Federal eRulemaking portal by inputting ‘‘FAR Case 2010–013’’ under the heading ‘‘Enter Keyword or ID’’ and
selecting ‘‘Search.’’ Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘FAR Case 2010–013.’’ Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘FAR Case 2010–013’’ on your attached
document.

• Fax: (202) 501–4067.

• Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.

Instructions: Please submit comments only and cite FAR Case 2010–013, in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov, including any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement Analyst, at (202) 501–2364 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501–4755. Please cite FAR Case 2010–013.

SUPPLEMENTARY INFORMATION:

I. Background

DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to add a new subpart 24.3, entitled ‘‘Privacy Training,’’ and related clause to ensure that contractors identify employees who require access
to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government,
and who, therefore, are required to complete privacy training initially upon award of the procurement and at least annually thereafter. In addition, contractors are required to keep records indicating that employees have
completed the required training and, upon request, provide those records to the Government. This rule does not apply to commercial items.

These requirements are consistent with subsection (e), Agency requirements, and subsection (m), Government contractors, of the Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding personally identifiable information include the E–Government Act of 2002, the Federal Information Security Management Act (FISMA) of 2002, and Federal guidance from the Office of Management and Budget (OMB), e.g., OMB Memorandum M–07– 16, entitled ‘‘Safeguarding Against and Responding to the Breach of Personally Identifiable Information,’’ issued May 22, 2007; OMB Memorandum M–10–23, entitled ‘‘Guidance for Agency Use of Third-Party Web sites and Applications,’’ issued June 25, 2010 (this memorandum contains the most current definition of personally identifiable information, and clarifies the definition provided in M–07–16); and OMB Circular No. A–130, entitled ‘‘Management of Federal Information Resources,’’ which address significant requirements for safeguarding and handling personally identifiable information and reporting any theft, loss, or compromise of such information. In addition, FAR subpart 24.1 requires that Federal agencies contracting for the design, development, or operation of a system of records on individuals must extend all Privacy Act safeguards to the contractor and its employees working on the contract. Minimum requirements for privacy training are proposed for the coverage in order to ensure consistency across the Government. For example, any privacy training must address the protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. The proposed FAR text includes seven mandatory elements of the privacy training, including any agency-specific requirements. Many agencies currently require that designated contractor employees complete agency-developed privacy training, but, in some circumstances, an agency may provide a contractor with the Privacy Act requirements and have the contractor develop the training package. While the use of an agency-developed privacy training package is the most common approach, and the approach embodied in the clause at FAR 52.224–XX, Privacy Training, the proposed FAR language provides an Alternate I to the FAR clause for those cases where the agency prefers to have the contractor create the privacy training package. Additionally, the proposed FAR language provides an Alternate II to the FAR clause for those instances when it’s determined to be in the best interest of the Government for a contractor employee to attend agency provided privacy training.

Under the proposed FAR rule, a contractor employee who requires access to a Government system of records will be granted or allowed to retain such access only if the individual has (1) Completed privacy training and (2) met all other applicable agency requirements.

II. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

III. Regulatory Flexibility Act The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory Flexibility Analysis (IRFA) is summarized as follows:

This proposed rule was initiated to ensure that contractor personnel who handle personally identifiable information; design,
develop, maintain, or operate a system of records on behalf of the Government; or require access to a Government-owned system of records are properly trained on the requirements of applicable laws and appropriate safeguards to ensure the security and confidentiality of personally identifiable information.
Such training of contractor employees is required by provisions of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government Act of 2002, the Office of Management and Budget (OMB) Memorandum M–07–16, and existing Privacy Act clauses (52.224–1 and 52.224–2). Various other statutes, applicable authorities, and memoranda address the responsibility of Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements pertaining to the handling and safeguarding of personally identifiable information. The list includes, but is not limited to the following:
• The Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C. 3541);
• OMB Memorandum M–06–15, Safeguarding Personally Identifiable Information; and
• OMB Circular No. A–130, Management of Federal Information Resources.

The proposed rule requires all contractors with contracts that require employees to have access to personally identifiable information to complete training that addresses the statutory requirements for protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. This rule requires the contractor to identify its employees who require access, ensure that those employees complete agency-provided privacy training before being granted access and annually thereafter, and maintain records of the training. In a few cases, the content of the training will not be provided by the agency but will be created by the contractor in accordance with Alternate I to the clause at FAR 52.224–XX.

Alternate II to the clause at FAR 52.224–XX if it is determined to be in the best interest of the Government for a contractor employee to attend agency-provided privacy training. This rule does not apply to commercial items.

Information obtained from the Federal Procurement Data System for Fiscal Year 2009 demonstrates that 98,864 small business concerns were awarded contracts and 197,728 firms were awarded subcontracts. However, only contracts for the types of work identified in the paragraphs above will be subject to the privacy-training requirement. We estimated that approximately one-half of one percent of all small business Government prime contractors and subcontractors will be required to conduct privacy training as follows:

Small business prime contractors
........................................ 98,864
Small business subcontractors + 197,728
Total small businesses ..... 296,592
Percent w/privacy-training requirement............................. × 0.005
Number of small businesses impacted ............................... 1,483

Recordkeeping associated with this proposed rule is minimal; there are no required formats or templates for the records, and they will be retained by the contractor in most cases. The Government only will request a contractor’s training records on an exception basis, i.e., if the Government has a particular reason to check on a contractor’s compliance with the training requirement. The Regulatory Secretariat will be submitting a copy of the Interim Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2010–013) in correspondence.

IV. Paperwork Reduction Act

The Paperwork Reduction Act (44U.S.C. chapter 35) applies. The proposed rule contains information collection requirements. Accordingly, the Regulatory Secretariat has submitted a request for approval of a new information collection requirement concerning ‘‘Privacy Training’’ to the Office of Management and Budget.

A. Public reporting burden for this collection of information is estimated to average one hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The recordkeeping requirements are minor, and records generally will be retained within the contractor’s organization. While a contractor is required to identify its employees who require initial privacy training and annual privacy training thereafter, there is no requirement to collect this information in a particular format or provide it to the Government, other than on an exception basis, i.e., when there is an indication that the contractor is not complying with the training requirements.

The annual reporting burden is estimated as follows:
Respondents ............................. 148
Responses per respondent ...... 1
Total annual responses .... 148
Preparation hours per response................................... 1
Total response burden hours .............................. 148

B. Request for Comments Regarding Paperwork Burden.
Submit comments, including suggestions for reducing this burden, not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102, NEOB, Washington, DC 20503, and a copy to the General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.

Public comments are particularly invited on: whether this collection of information is necessary for the proper performance of functions of the FAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those who are to respond, through the use of appropriate technological collection techniques or other forms of information technology.

Requester may obtain a copy of the supporting statement from the General Services Administration, Regulatory Secretariat (MVCB), Attn: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB Control Number 9000–0182, FAR Case 2010–013, Privacy Training, in correspondence.

List of Subjects in 48 CFR Parts 24 and 52

Government procurement.
Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide Acquisition Policy, Office of Acquisition Policy.
Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and 52 as set forth below:

1. The authority citation for 48 CFR parts 24 and 52 continues to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

PART 24—PROTECTION OF PRIVACY
AND FREEDOM OF INFORMATION
2. Add subpart 24.3 to read as follows:

Subpart 24.3—Privacy Training
Sec.
24.301 Privacy Training.

24.302 Contract clause.

Subpart 24.3—Privacy Training
§ 24.301 Privacy training.

(a) Contractors are responsible for conducting initial privacy training, and annual privacy training thereafter, for employees who—
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see subpart 24.1 and 39.105).

(b) Agencies shall provide contractors with the privacy training materials (in a format deemed appropriate) necessary to satisfy the requirement described in paragraph (a) of this section unless, on an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials (see 24.302(b)).

(c) Privacy training shall, at a minimum, address—
(1) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
(2) The handling and safeguarding of personally identifiable information;
(3) The authorized and official use of a Government system of records;
(4) Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
(5) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government;
(6) Breach notification procedures(i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur; and
(7) Any agency-specific privacy training requirements.

(d) The contractor is responsible for ensuring that employees identified in paragraph (a) of this section complete the required training and maintain evidence of appropriate training completed. The contractor is required,upon request, to provide evidence of completion of privacy training for all applicable employees.

(e) Each contractor employee who requires access to a Government system of records, handles personally identifiable information, or designs, develops, maintains, or operates a Government system of records, shall be granted or allowed to retain such access only if the individual—
(1) Has completed agency-mandated privacy training that, at a minimum, addresses the elements in paragraph (c) of this section; and
(2) Has met all other applicable agency requirements.

§ 24.302 Contract clause.
(a) When contractor employees will have access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records, the contracting officer shall insert the clause at FAR 52.224–XX, Privacy Training, in solicitations and contracts.
(b) When the contracting officer elects to have the contractor provide its own privacy training materials, use Alternate I in lieu of paragraph (a) of the basic clause.
(c) When an agency elects to provide privacy training to contractor employees, use Alternate II in lieu of paragraph (a) of the basic clause.

PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

3. Add section 52.224–XX to read as follows:
52.224–XX Privacy Training. As prescribed in 24.302(a), insert the following clause:

Privacy Training (Date)
(a) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using the Government-provided privacy training materials, for employees who—
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105).

(b) The Contractor shall ensure that its employees, as identified in paragraph (a) of this clause, complete the required training in a timely manner. In addition, the Contractor shall maintain privacy training records, and, upon request, shall provide to the Contracting Officer evidence of privacy training completed for applicable employees.

(c) The Contractor shall not grant any employee access to a Government system of records or personally identifiable information until the employee has completed privacy training, as required by this clause, and has met all other applicable agency requirements.

(d) The substance of this clause, including this paragraph (d), shall be included in all subcontracts under this contract, when subcontractor employees will (1) have access to a Government system of records, (2) handle personally identifiable information, or (3) design, develop, maintain, or operate a system of records on behalf of the Federal Government.

(End of clause)


Alternate I (Date). If the agency elects to have the Contractor provide its own privacy training materials, substitute the following paragraph (a) for paragraph (a) of the basic clause:
(a)(1) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using its own privacy training materials, for employees who—
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105).

(2) The privacy-training materials shall, at a minimum, address—
(i) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
(ii) The handling and safeguarding of personally identifiable information;
(iii) The authorized and official use of a Government system of records;
(iv) Restrictions on the use of personally owned equipment to process, access, or store personally identifiable information;
(v) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or a system of records on behalf of the Federal Government;
(vi) Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised); and
(vii) Any agency-specific privacy training requirements specified by the Contracting Officer.

Alternate II (Date). If the agency elects to provide privacy training to contractor employees, substitute the following paragraph (a) for paragraph (a) of the basic clause:
(a)(1) The Government shall provide initial privacy training, and annual privacy training thereafter, to contractor employees who—
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also subpart 24.1 and 39.105).
(2) The Government will conduct privacy training to Contractor employees in the same format given its own employees (e.g., lecture, computer-based training, Web-based training, video conferencing, etc.).

[FR Doc. 2011–26546 Filed 10–13–11; 8:45 am]

Division of Corporation Finance
Securities and Exchange Commission
CF Disclosure Guidance: Topic No. 2
Cybersecurity
Date: October 13, 2011

Summary: This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

Supplementary Information: The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.

Introduction

For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity (Endnote 1) have also increased, resulting in more frequent and severe cyber incidents. Recently, there has been increased focus by registrants and members of the legal and accounting professions on how these risks and their related impact on the operations of a registrant should be described within the framework of the disclosure obligations imposed by the federal securities laws. As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

We prepared this guidance to be consistent with the relevant disclosure considerations that arise in connection with any business risk. We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws.

In general, cyber incidents can result from deliberate attacks or unintentional events. We have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber attacks may also be carried out in a manner that does not require gaining unauthorized access, such as by causing denial-of-service attacks on websites. Cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.

The objectives of cyber attacks vary widely and may include theft of financial assets, intellectual property, or other sensitive information belonging to registrants, their customers, or other business partners. Cyber attacks may also be directed at disrupting the operations of registrants or their business partners. Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
Litigation; and Reputational damage adversely affecting customer or investor confidence.

Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents

The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. (Endnote 2) Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. (Endnote 3). Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

The following sections provide an overview of specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents.

Risk Factors

Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. (Endnote 4) In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. (Endnote 5) Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; Risks related to cyber incidents that may remain undetected for an extended period; and Description of relevant insurance coverage.
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.

Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A)

Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. (Endnote 6) For example, if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material. Alternatively, if the attack did not result in the loss of intellectual property, but it prompted the registrant to materially increase its cybersecurity protection expenditures, the registrant should note those increased expenditures.

Description of Business

If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s “Description of Business.” (Endnote 7). In determining whether to include disclosure, registrants should consider the impact on each of their reportable segments. As an example, if a registrant has a new product in development and learns of a cyber incident that could materially impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.

Legal Proceedings

If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its “Legal Proceedings” disclosure. For example, if a significant amount of customer information is stolen, resulting in material litigation, the registrant should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought. (Endnote 8)

Financial Statement Disclosures

Cybersecurity risks and cyber incidents may have a broad impact on a registrant’s financial statements, depending on the nature and severity of the potential or actual incident.

Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship. Registrants should consider ASC 605-50, Customer Payments and Incentives, to ensure appropriate recognition, measurement, and classification of these incentives.

Cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts. Registrants should refer to ASC 450-20, Loss Contingencies, to determine when to recognize a liability if those losses are probable and reasonably estimable. In addition, registrants must provide certain disclosures of losses that are at least reasonably possible.

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory. Registrants may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. Registrants should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A registrant must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. (Endnote 9) Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue.

To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary. If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.(Endnote 10)

Disclosure Controls and Procedures

Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.11 For example, if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls and procedures are ineffective.


-----------------------------------------------------------------

Endnotes

(1) Cybersecurity is the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access. Whatis?com available at http://whatis.techtarget.com/definition/cybersecurity.html. See also Merriam-Webster.com available at http://www.merriam-webster.com/dictionary/cybersecurity.

(2) The information in this disclosure guidance is intended to assist registrants in preparing disclosure required in registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934. In order to maintain the accuracy and completeness of information in effective shelf registration statements, registrants may also need to consider whether it is necessary to file reports on Form 6-K or Form 8-K to disclose the costs and other consequences of material cyber incidents. See Item 5(a) of Form F-3 and Item 11(a) of Form S-3.

(3) Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9. Information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available. See Basic Inc. v. Levinson, 485 U.S. 224 (1988); and TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976). Registrants also should consider the antifraud provisions of the federal securities laws, which apply to statements and omissions both inside and outside of Commission filings. See Securities Act Section 17(a); Exchange Act Section 10(b); and Exchange Act Rule 10b-5.

(4) See Item 503(c) of Regulation S-K; and Form 20-F, Item 3.D.

(5) Item 503(c) of Regulation S-K instructs registrants to “not present risks that could apply to any issuer or any offering” and further, to “[e]xplain how the risk affects the issuer or the securities being offered.” Item 503(c) of Regulation S-K.

(6) See Item 303 of Regulation S-K; and Form 20-F, Item 5. A number of past Commission releases provide general interpretive guidance on these disclosure requirements. See, e.g., Commission Guidance Regarding Management’s Discussion and Analysis of Financial Condition and Results of Operations, Release No. 33-8350 (Dec. 19, 2003) [68 FR 75056] Commission Statement About Management’s Discussion and Analysis of Financial Condition and Results of Operations, Release No. 33-8056 (Jan. 22, 2002) [67 FR 3746]; Management’s Discussion and Analysis of Financial Condition and Results of Operations; and Certain Investment Company Disclosures, Release No. 33-6835 (May 18, 1989) [54 FR 22427].

(7) See Item 101 of Regulation S-K; and Form 20-F, Item 4.B.

(8) See Item 103 of Regulation S-K.

(9) See FASB ASC 275-10, Risks and Uncertainties.

(10) See ASC 855-10, Subsequent Events.

(11) See Item 307 of Regulation S-K; and Form 20-F, Item 15(a).

http://www.sec.gov/divisions/corpfin/ ... nce/cfguidance-topic2.htm