The threat of a cybersecurity breach is unfortunately one of the ongoing business risks companies face n the current operating environment. For that reason, corporate disclosures of cyber-breach related risks have been a priority of the SEC’s Division of Corporate Finance as well as the agency’s new Chair, Mary Jo White. The agency’s developing practices and priorities in the area of cyber-risk related disclosure, as well as the implications of the agency’s practices for potential director and officer liability, is the subject of a November 1, 2013 Law 360 article by Anthony Rodriguez of the Morrison & Foerster law firm entitled “SEC Continues to Target Cybersecurity Disclosure” (here, subscription required).
It has been over two years since the SEC Division of Corporate Finance issued its Disclosure Guidance on cybersecurity (about which refer here). Among other things, the Guidance suggested that appropriate risk factor disclosures might include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Though the Corporate Finance Division issued these provisions in the form of disclosure guidance only, the Division has also made it clear that it intends to police company’s practices in this area. According to the article, the agency’s Corporate Finance Division “has issued comments to approximately 50 companies about cybersecurity since it issued the disclosure guidance.” The comments not only underscore the agency’s “sustained interest” in the topic, but its comments also encourage disclosures “that go beyond a rote warning that a cyber problem could have some type of adverse impact on the business.”
As discussed here, the kinds of things about which the Corporate Finance Division has requested further elaboration include: that companies disclose whether data breaches have actually occurred and how the companies have responded to such breaches; that cybersecurity risks should be broken out separately and stand alone from disclosure of other types of risks because of the distinct differences between the risk of cybersecurity attacks and the risk of other types of disasters or attacks; and for companies that have suffered cyber breaches, additional information regarding why the public company does not believe the attack is sufficiently material to warrant disclosure.
According to the Law 360 article, the kinds of comments the agency has provided include a request that a company’s statement that cyber attacks are regarded as “unlikely” be reviewed and that consideration be given to revising the statement. Similarly, a company that had disclosed that what “could” happen in the event of a cyber attack was asked to disclose whether it had experienced “any cyber breaches, cyber attacks or other similar events in the past.”
The article notes that
It may just be a matter of time before two factors align: (1) news of a successful cyber attack that sends a company’s share price plunging, and (2) the company’s public statements about it cyber defenses appear in hindsight (at least to a plaintiff’s attorney) to have been clearly erroneous.
When this happens, the article’s author suggests, the company and it is directors and officers will likely be hit with “one or more complaints asserting securities, fiduciary duty and other claims on behalf of a class, derivatively or both.”
Though the company would have defenses to any claim of this type, “the quality of the company’s cybersecurity disclosures could be important to deter or defeat such claims.” The company’s management should ensure that the company’s cybersecurity disclosures “are made with as much care as the typically well-vetted statements regarding financial results, growth prospects and unique business risks.”
At the same time, the company’s directors “should work in good faith to stay informed about the corporation’s cybersecurity defenses and the processes by which management builds and maintains those defenses.”
The extent of the SEC Corporate Finance Division’s scrutiny of companies’ cybersecurity disclosure is an important point. The fact is that (as noted in a recent post) many companies have not modified their disclosure practices notwithstanding the SEC’s cybersecurity disclosure guidance.
As always whenever there are disclosure requirements, there is always room for allegations that the disclosures are misleading or incomplete. Whether or not plaintiffs’ attorneys target companies for their cybersecurity disclosures, there is the possibility that the SEC may target a company for its cybersecurity disclosures as a way to highlight the importance of the issue and as a way to encourage other companies to focus more on their cybersecurity risk disclosures.
Though there have already been a small number of cases in which plaintiffs’ attorneys have sought to hold corporate directors and offices liable for cybersecurity disclosure violations or for breaches of fiduciary duties in connection with cybersecurity, these kinds of cases have not yet become a common phenomenon. Whether these kinds of cases will become more frequent, it does seem probable that cybersecurity disclosure will continue to face heightened scrutiny.
A guest post on this blog by D&O maven Dan Bailey on the steps companies should take in light of the continuing importance of these issues can be found here. A summary of the critical questions directors should be asking about cyber risk insurance can be found here.