Earlier this month, fitness-tracking company Fitbit, Inc. filed a Form S-1 Registration Statement for an IPO of up to $100 million that exhaustively disclosed potential cybersecurity risks with respect to the personal data the company collects. As businesses collect and process voluminous amounts of consumer data, and as data breaches become more widespread, registration statement disclosures discussing cyber risk have garnered much attention. It is critical for companies to both analyze their cyber risks before going public and to provide relevant, concise and timely disclosures on an ongoing basis for investors to consider.
According to SEC guidance, public companies must disclose cybersecurity risks and incidents that could have a material impact on profitability. Regulation S-K Item 503(c) requires that disclosures be concise and tailored. Clear and relevant cyber risk disclosures may be critical in preventing or mitigating future scrutiny from regulators and shareholders. While a dearth of applicable risk factors may open up the company to potential liability, disclosing a plethora of risk factors which are not tailored or applicable to the company is ill-advised as well. Boilerplate risk factors can obscure important company-specific risks and thereby increase liability. In addition to SEC scrutiny of cyber risks, shareholders in class actions suits may claim to have been harmed by a breach resulting from an undisclosed, obscured or hidden risk factor. In its S-1, Fitbit disclosed cybersecurity risk factors, such as vulnerabilities created by its regulatory requirements and other legal privacy requirements, the volume and sensitivity of the information collected, and its third-party vendors. Although the Fitbit disclosures broadly cover risks, their S-1 may lack important specifics, such as its third-party vendor utilization and processes. Best practices dictate that companies filing for IPOs thoroughly consider their cyber risk profile to avoid future risk and potential liability in the future. Companies have an ongoing obligation to keep such information up to date in the event of newly discovered cyber risks or significant breach incidents.