I am sure many readers were disturbed as I was by the February 19, 2013 New York Times article reporting that a Chinese army unit apparently has been executing a concentrated cyber-hacking program targeting U.S. companies and critical U.S. infrastructure. (The report of consulting firm Mandiant that was the basis of the Times article can be found here.) This story is part of a rising tide of media reports about cybersecurity risks. Indeed, concerns about these kinds of activities led President Obama’s February 12, 2013 Executive Order entitled “Improving Critical Infrastructure Cybersecurity” (here).
Although the recent disclosures are quite troubling, it is not news that cybersecurity risks represent a significant concern for just about every company involved in the current economy. Prior posts on this site (for example, here) have detailed the liability exposures that these risks represent for all of these companies and for their directors and officers. But while these issues are not new, it really seems that as we have headed into 2013, the volume on these issues has been turned up.. It now seems clear that cybersecurity is going to be one of the hot button issues for the foreseeable future, both in the media and for the affected companies.
The heightened scrutiny of cybersecurity issues has a number of important implications for potentially affected companies, and not just from an operational standpoint. These developments also have important implications for public company’s public disclosure statements, and, as a consequence, for the company’s potential regulatory and litigation exposures.
Indeed, according to a February 21, 2013 memo from the King & Spalding law firm entitled “Cybersecurity: The New Big Wave in Securities Litigation?” (here), “it is likely that this issue will continue to gain momentum among both government regulators and opportunistic plaintiff lawyers seeking to catch the next wave of shareholder litigation.” In particular, the failure to promptly disclose a cyber breach “may put a company at risk of facing formal SEC investigations, shareholder class actions, or derivative lawsuits.”
As the memo notes, the SEC “has already taken a firm stand on cybersecurity disclosures, and clearly views this issue as ripe for enforcement actions.” In October 2011, the SEC’s Division of Corporate Finance issued “Disclosure Guidance” on cybersecurity related issues. Among other things, the Guidance clarified that the agency expects companies to disclose the risk of cyber incidents among their “risk factors” in their periodic filings and also expects companies to disclose material cybersecurity breaches in their Management Discussion and Analysis.
The law firm memo notes that so far, the SEC’s Guidance “seems to have had little impact on corporate disclosure,” and that in many instances companies experiencing cyber breaches are “choosing to keep those events confidential.” However, “given the increasing awareness of this hot issue,” it seems “likely” that the SEC “will increase pressure on companies to disclose such events.” The memo adds that “companies that have experienced significant cybersecurity breaches should prepare themselves for potential SEC investigations and lawsuits.”
In addition to the risk of SEC enforcement action, companies experiencing cyber breaches also face the possibility of a securities class action lawsuit. However, the memo notes, a company experiencing a cyber breach “will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company’s share price.” In that respect, it is worth noting that several high profile companies announcing cyber breaches have not experienced a significant drop in their stock price following the announcement. (For example, recent announcements by Facebook, Apple and Microsoft that they have been the target of sophisticated cyber attacks did not affect the companies’ share prices.) Nevertheless, it seems likely that at least some companies experiencing cyber breaches or subject to cyber attacks will also suffer a drop in their share price, and “thus result in securities class action litigation.”
Companies that do not experience a share price decline following a cybersecurity incident may not get hit with securities class action litigation, but they are still susceptible to derivative lawsuits alleging, for example, that company directors breached their fiduciary duties by failing to ensure adequate security measures. As the law firm memo notes, shareholder may claim that senior management and directors “were either aware of or should have been aware of the breach and the company’s susceptibility to hacking incidents.” Of course, any lawsuit of this type would face significant hurdles, including the requirement to make a formal demand on the board as well as the business judgment rule.
In any event, it is clear that cybersecurity issues are going to be an increasing source of scrutiny for companies and their senior officials. This heightened scrutiny not only means that companies will be under pressure to take steps to ensure that their networks and information are secure, but also means that the companies will face pressure both to “disclose the risks associated with potential cybersecurity breaches and provide timely updates when actual breaches occur.” Companies that fall short on these disclosure expectations “will face a substantial risk of regulatory scrutiny and shareholder litigation.”
As Rick Bortnick of the Cozen O’Connor firm discussed in a prior guest post on this site (here), cyber security disclosures have already been the source of securities class action litigation, in the high profile case involving Heartland Payment Systems. Although that case was dismissed, Bortnick points out how different the circumstances and disclosures involved in that case might look if viewed through the prism of the SEC”s 2011 Disclosure Guidance.
Among other implications from these developments is that cybersecurity disclosure seems likely to be the subject of greatly increased scrutiny, suggesting that this disclosure – particularly precautionary disclosure forewarning investors of the possible adverse effects the company could expect in the event of a serious cyber attack – should become a priority for reporting companies.
Finally, these developments and the possible regulatory and litigation implications underscore the fact that cybersecurity exposures represent an important issue to be addressed as part of every company’s corporate insurance program. Indeed, the SEC itself considered the question of insurance for cybersecurity exposures to represent such a critical issue that, in its Disclosure Guidance, it specifically identified the insurance issue as one of the topics companies should address in their disclosure of cybersecurity issues.
The insurance issues related to cybersecurity include not only the question of whether companies should acquire dedicated cyber and network security insurance, but also includes the question of the protection available to the companies’ senior officials under their management liability insurance policies. The rapidly evolving nature of these issues and the related liability exposures underscores the importance for all companies to have a knowledgeable and experienced insurance professional involved in the design and implementation of their corporate insurance program.
Readers interested in the President’s recent Executive Order and its potential implications will want to take a look at the February 2012 article written by Lockton’s Bill Boeck entitled “Cybersecurity Executive Order: What We Know and What We Don’t Know” (here).
Those who are interested in the implications of these developments for corporate directors will want to review the recent guest post on this site by D&O maven Dan Bailey entitled “Cyber Risks: New Focus for Directors” (here).
Classic Rock Notes::In its February 23, 2013 review of new autobiography of record industry executive Clive Davis, the Wall Street Journal describes a critical incident that led Davis to become one of the recording industry’s most successful rock music producers. In June 1967, Davis attended the Monterey Pop Music festival, where he heard Janis Joplin deliver a version of Big Mama Thornton’s “Ball and Chain.” Davis described the event as “not merely one of Janis’s greatest moments onstage, but one of the classic performances in rock history. It was simply overwhelming.” Joplin was, according to Davis, “hypnotic” and “mesmermizing.” Davis says he thought on seeing her performance, “This is a social and musical revolution.”
Davis wasn’t exaggerating. Even in the grainy Internet video, Joplin’s performance will give you goosebumps. Crank up the volume on your computer and enjoy (watch for the cutaway shot of Mama Cass Elliot regarding Joplin in slackjawed amazement).