Cybersecurity has been and remains one of the hot topics in corporate governance. Several federal regulatory agencies, including the SEC, have made it clear that cybersecurity is a high priority item and at the top of their agenda. The SEC’s particular cybersecurity focus has been on consumer privacy and on corporate disclosure. But though the SEC has made cybersecurity issues, including disclosure, a top priority, it appears to be the case that very few public companies are actually disclosing cybersecurity and data breach incidents in their SEC filings. The current disclosure practices could be a concern for investors – and for D&O underwriters.
Just to review the relevant background about cybersecurity disclosure, the SEC Division of Corporate Finance issued its Disclosure Guidance on Cybersecurity in October 2011 (about which refer here). Among other things, the Guidance suggested that appropriate risk factor disclosures might include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
The third bullet point in this list, relating to the disclosure of cyber incidents, is of particular relevance to this discussion. Of particular concern is the guideline’s emphasis on the disclosure of incidents that are “material.”
According to a September 19, 2016 Wall Street Journal article entitled “Corporate Judgment Call: When to Disclose You’ve Been Hacked” (here), nothwithstanding the long-standing SEC disclosure guidelines, companies are being hacked more frequently but are not disclosing these incidents in their periodic reports to the SEC. The article cites a recent Audit Analytics report, in which the firm reviewed the filings of nearly 9,000 reporting companies during the period January 2010 to the present. The report found that only 95 of these companies had informed the SEC of a data breach. However, according to the Privacy Rights Clearinghouse, the number of data breaches during that period experienced by all U.S. businesses – including both public and private companies – totaled 2,642.
The most important consideration accounting for this apparent discrepancy is the question of “materiality.” If the company believes that the incident or incidents it experienced are not “material” within relevant reporting obligation standards, then, many companies apparently are concluding that they have no obligation to report the incident.
Significantly, while only a small number of companies have reported cyber incidents in their periodic reports, a greater number are reporting data breaches and other incidents to other regulators. The Journal article cites the Audit Analytics report as stating that about 300 publicly traded U.S. companies have reported cybersecurity incidents to a state regulator or directly to affected consumers over the past six years.
Obviously, whether or not any potentially reportable item is “material” and therefore subject to disclosure is a judgment call of a type that corporate officials have long been called upon to make. The concern is that these types of judgment calls can be subject to hindsight scrutiny. In that regard, it is probably worth noting that to date the SEC has not yet brought a regulatory enforcement action against a company that failed to disclose a cyberincident – but, the Journal article notes, SEC officials “have not ruled out doing so.”
Though the SEC has not yet filed a regulatory enforcement action, it otherwise has been active in this area. According to published accounts, the SEC’s Finance Division has sent comment letters to a significant number of companies asking them to supplement or amend their filings. As discussed here, the kinds of things on which the SEC has requested further elaboration include: that companies disclose whether data breaches have actually occurred and how the companies have responded to such breaches; that cybersecurity risks should be broken out separately from disclosure of other types of risks because of the distinct differences between the risk of cybersecurity attacks and the risk of other types of disasters or attacks; and for companies that have suffered cyber breaches, additional information regarding why the public company does not believe the attack is sufficiently material to warrant disclosure.
It is worth noting that the Audit Analytics report is not the first study to highlight concerns regarding public companies’ disclosure practices. As I noted in a prior post (here), earlier studies have also noted this concern. Investors have also taken note of corporate disclosure practices; according to the Journal article, “investors are clamoring for more information about cybersecurity risks and data breaches, particularly those that affect company profits.” In light of these concerns, the American Institute of Certified Public Accountants has proposed new guidelines for company officials to use in describing their cybersecurity programs and efforts.
While there is no doubt that company officials could come under fire if questions arise whether they disclosure insufficient information about a cybersecurity incident at their firm, there are countervailing considerations that in at least some instances arguably militate against more active disclosure. As the Journal article notes, “frequent disclosure of insignificant cyberincidents could overwhelm investors and harm a company’s share price. As one commentator cited in the Journal article note, “there could be a lot of noise.”
There is no doubt that company executives regularly must exercise their judgment about what to disclose and when to disclose it, with respect to cybersecurity issues as with respect to other matters concerning a company’s performance and operating environment. Hindsight second-guessing about these kinds of disclosure decisions is of course always a concern. As noted above, the SEC itself might select a company and choose to question its disclosure practices, in order to make an example and highlight the agency’s priorities about cybersecurity disclosure.
In addition, investors (and their attorneys) armed with the benefit of hindsight might attempt to allege that the company and its officials improperly failed to disclose known cybersecurity incidents and vulnerabilities. There have been numerous suggestions from commentators (as discussed, for example, here) that we may be about to see an increase in securities class action lawsuit filings relating to cybersecurity disclosure issues. There have, in fact, been these kinds of lawsuits in the past; for example, in 2009, there was a securities class action lawsuit filed against Heartland Payments Systems and certain of its directors and officers related to the company’s massive data breach. (The court granted the defendants’ motion to dismiss in that case). None of the more recent high-profile data breaches have resulted in securities class action lawsuits.
The track record so far would suggest a certain degree of skepticism about the likelihood of a significant outbreak of cybersecurity securities class action litigation. Just the same, cybersecurity remains a hot button issue, certainly from a regulatory standpoint. I also think the entrepreneurial and opportunistic plaintiffs’ bar in this country has every incentive to try to come up with a way to pursue claims when and if questions arise concerning cybersecurity disclosure issues.
For that reason, I think cybersecurity disclosure practices should remain a concern and priority for D&O underwriters. As Doug Greene of the Lane Powell law firm noted in a prior post on his blog D&O Discourse in which he was commenting about the possibility of future cybersecurity securities class action litigation, when it comes to the possibility of future data breach-related securities class action litigation, “the risk is high enough that all companies need to pay more attention to their cybersecurity disclosures.” Insurers, brokers and risk managers need to be mindful of the continuing potential securities class action risk in this area.
And Speaking of Hot Button Disclosure Issues: Along with cybersecurity issues, another emerging exposure area that has been the focus of disclosure issues has been climate change. Among other things, as I noted in a prior post (here), the New York Attorney General has made it clear that he intends to pursue Exxon Mobil Corp. with respect to the oil company giant’s climate-change related disclosures. According to a front-page September 21, 2016 Wall Street Journal article (here), it now appears that the SEC is getting into the act as well. According to the Journal, the SEC is investigating how the company is valuing its assets in light of climate-change related issues, a probe that, according to the Journal, “could have far-reaching consequences for the oil and gas industry.”
According to the Journal article, in August, the SEC requested information from the company and its auditor. The SEC apparently is focusing on how Exxon calculates the impact to its business from the global response to climate change, particularly with respect to what assumptions and figures the company is using to calculate its future costs of complying with greenhouse gas regulations. The agency reportedly is also investigating the company’s long-standing practice of not writing down the value of oil and gas reserves when prices fall.
Regardless of whether the SEC inquiries lead to any sort of regulatory action, it is clear that the increased regulatory scrutiny has implications for others in the oil and gas and other energy related industries. Indeed, in my earlier post about NYAG’s climate change-related inquiries to Exxon, I noted that the NYAG’s office had reached a settlement with Peabody Coal of charges that the company’s climate change related disclosure violated New York law.
The possibility that climate change-related disclosure might emerge as the source of corporate liability exposure has been around for years, but always somewhat in the background. It may yet stay in the background; the current brouhaha about Exxon’s alleged climate change-related omissions may quickly fade. Or it just may be the first of several public skirmishes about climate change disclosure. Certainly, as I have noted in prior blog posts (for example, here), environmental activists have long wanted to try to make climate change disclosure issues a source of liability for directors and officers of energy companies.
In my view, whether or not the NYAG or the SEC take any action now with respect to Exxon’s disclosures, I think it is only a matter of time before regulators or claimant take on a company about its climate change-related disclosures. Elected officials eager to generate publicity and curry favor with interest groups will inevitably find this issue too inviting to ignore. Enterprising plaintiffs’ lawyers seeking to diversify their product line will likely try to determine whether or not climate change disclosure represents a promising new liability area.