The SEC has published new guidance recommending that publicly traded US companies disclose cybersecurity risks and incidents related to IT asset retirement. If assets like laptops are lost or stolen during retirement, exposed data could constitute a cyber incident negatively impacting the company. The SEC guidance specifies six disclosure areas companies should consider, including risk factors, business descriptions, legal proceedings, and financial impacts. Given increased focus on cyber risk disclosure, companies should ensure IT assets are securely retired to minimize risks and protect the company.

1. ALERT
The Last Link of the Cybersecurity Chain:
Don’t Let IT Asset Retirement Expose Your Corporation
SEC Guidance on risk, exposure to cyber incidents could adversely affect
customer or investor confidence. As the guidance states,
Cybersecurity and “federal securities laws, in part, are designed to elicit
IT Asset Retirement disclosure of timely, comprehensive, and accurate
information about risks and events that a reasonable
investor would consider important to an investment decision.”
IT ASSET RETIREMENT:
THE REAL RISKS WHAT SHOULD BE DISCLOSED?
How IT assets are retired plays a significant role in According to the SEC’s guidance, companies should
mitigating risk to a company’s bottom line. The U.S. consider a discussion of cybersecurity risks within the
Securities and Exchange Commission recently published following six required disclosure sections. This discussion
new disclosure guidance recommending that publicly would be included in a company’s annual report.
traded companies based in the United States disclose
their cyber risk. 1. isk Factors: Given that publicly traded companies
R
are obligated to analyze their risks, the SEC
If an IT asset such as a laptop is stolen, or if it is lost in recommends disclosing the probability of cyber
transit once it is marked for retirement, the exposed data incidents, their quantitative and qualitative impact,
on the hard drive or memory constitutes a cyber incident. and the consequences of leaking sensitive or corrupted
The data that may be recovered illegally can negatively data. In addition, the SEC advises disclosing the
impact the company, its suppliers, and its customers. areas of operations with material cyber risks and
the potential costs and consequences related to
INCREASED VIGILANCE those risks. The SEC indicates that a description of
how a company addresses material cybersecurity
IN NEW GUIDANCE FOR
risks for any pertinent outsourced functions may
PUBLIC COMPANIES be appropriate.
While the formal guidance from the SEC’s Division of
Also, exposure analyses might also include an
Corporate Finance covers all aspects of cyber exposure,
assessment of cyber risks that may remain
Intechra knows that one of the greatest risks occurs at the
undetected for an extended period of time.
point of IT asset retirement—and that this phase of the IT
life cycle is where many public companies are least vigilant. 2. anagement’s Discussion and Analysis of
M
The SEC’s recommendations that companies disclose Financial Condition and Results of Operations:
their potential or past exposure could cause many public Cases where cyber risks and incidents represent
firms to review and possibly rethink their processes and a material event, trend, or uncertainty may
reporting related to the disposition of IT assets. The negatively impact a firm’s operations, liquidity,
SEC published this guidance based on increased focus or current or future financial condition or results
by publicly traded companies and legal and accounting should be noted, as should material increases
professionals on how cyber risks and their related in expenditures used to prevent the loss of
impact should be described within the framework of intellectual property during an attack.
corporate disclosure obligations. As with any business

2. 3. Firm’s Description of Business: If an event or
CALL TO ACTION FOR
events impact products (including those in
development), services, or customer or supplier
PUBLIC COMPANIES
The SEC has revised its position, stating that cyber
relationships, the incident or incidents and the
disclosures should now be viewed in the aggregate,
related potential material affect should be discussed.
which means that it is even more likely that incidents
4. Legal Proceedings: If a material legal proceeding
will be come to light.
includes a cyber incident, these facts may need to
The SEC lists many potential consequences of cyber
be disclosed.
incidents throughout the corporate IT life cycle, from
5. Financial Statements: The SEC recommends
litigation exposure to loss of revenue to increased insurance
considering disclosing costs associated with scrutiny. While there are many points of potential failure
preventing cyber incidents; providing incentives to throughout the life cycle, the unsecured or ineffective
customers to mitigate reputational damage resulting retirement of IT assets remains fraught with many risks and
from a cyber attack; and detailing current and exposures for public firms. Whether retired corporate
future losses directly or indirectly resulting from technology assets are remarketed or recycled, these
cyber incidents. actions must be handled with the utmost professional
6. Controls and Procedures: The SEC recommends
diligence and recorded transparency to ensure that
consideration of whether deficiencies in a firm’s cyber risks are minimized and the company is protected.
disclosure controls and procedures could result Read Intechra’s One Sheet on the subject for a solution
from cyber incidents. that will help your company ensure that IT assets are
securely retired.
The Price Companies Could Pay
for Unnecessary Risks
If computers and other IT assets are improperly retired or carelessly disposed of, many state and
federal compliance regulations levy financial penalties.
Fines alone are substantial and must be reported:
Gramm-Leach-Bliley Act (Financial Institutions) . . . . . . . . . . . . . . . . . . $100,000 per violation
Sarbanes-Oxley Act (Accounting Governance) . . . . . . . . . . . . . . . . . . . . . . . . . . $5,000,000
Health Insurance Portability and Accountability Act . . . . . . . . . . . . . . . . . . . . . . . $1,500,000
Fair and Accurate Credit Transactions Act . . . . . . . . . . . . . . . . . . . . . . . . $2,500 per violation
Fines and litigation together can run into the millions, and the damage to brand reputation also
can cost a company. Even one improperly retired asset could lead to multiple cases of identity
theft, a public relations crisis, or even a reported case of environmental pollution.