One of the fundamental principles on which our system of securities regulation is based is the importance of disclosure. The system is built on the notion that companies must disclose certain basic information about their operations and performance so that investors can make informed investment decisions. While the disclosures required are a matter of regulation and statute, investors’ and regulators’ expectations about what must be disclosed changes over time. Signs are that disclosure expectations — and as a result disclosure practices — are changing rapidly in two particular areas: cybersecurity and climate change.
First, with respect to cybersecurity disclosures, a July 26, 2017 Bloomberg article entitled “Corporate Cyber Security Risk Disclosures Jump Dramatically in 2017” (here) reports that “more public companies described ‘cybersecurity’ as a risk in their financial disclosures in the first half of 2017 than in all of 2016, suggesting that board and C-suite fears over data breaches may be escalating.” The article’s authors found that 436 reporting companies specifically referenced “cybersecurity” as a risk factor in their periodic SEC filings in the first six months of 2017, compared to 403 in all of 2016, and 305 in 2015.
That the increase in cybersecurity risk factor disclosure is taking place now is interesting, given that all the way back in 2011 the SEC issued guidance encouraging cybersecurity disclosures. The recent increase in cybersecurity risk factor disclosure suggests a growing awareness that cybersecurity issues represent an area of concern for growing numbers of reporting companies.
From a risk management perspective, cybersecurity disclosure is an important tool in attempting to mitigate the harm that may follow from a data breach or other data incident. As underscored in an August 4, 2017 post on the Federal Securities Law Source (here), one of the consequences that can follow in the wake of a data breach is follow on civil litigation in which the companies cybersecurity disclosures will be scrutinized closely. Among the recent examples where cybersecurity disclosure is being questioned in the wake of news of a data breach is the recent securities class action lawsuit filed against Yahoo!, as noted here. The Yahoo! data breaches also resulted in the filing of a shareholder derivative suit as well (as discussed here). As discussed in a July 7, 2017 Law 360 article (here), signs are that cybersecurity disclosure is likely to be an enforcement priority under the current administration.
With respect to climate change disclosure, as detailed in an August 7, 2017 post on the TheCorporateCounsel.net blog, the Financial Stability Board’s Task Force on Climate Change has released its final recommendations on climate change-related financial disclosures, along with supporting materials. These recommendations, although voluntary, are significant because the task force was organized by the G20, and were in fact released at the recent G20 meeting in Hamburg. As explained in a June 30, 2017 Davis Polk law firm blog post, the recommendations are “particularly relevant because of the FSB’s status as an international body founded by the G7 which coordinates national financial authorities and international standard-setting bodies, including the U.S. Securities and Exchange Commission, as these entities work toward developing strong regulatory, supervisory and other financial sector policies.”
The Davis Polk blog summarizes the recommendations, noting that “the recommendations boil down to four thematically related areas: governance, strategy, risk management, and metrics & targets.” The TheCorporateCounsel.net blog notes that the recommendations are ambitious, and that disclosure standards will continue to evolve.
As I noted in a recent post, notwithstanding the U.S. withdrawal from the Paris climate accords, climate change will remain a high profile issue for many corporate boards, and potentially could be a source of future corporate claim activity. Indeed, the setback for interest groups on the political front associated with the administration’s withdrawal increases the likelihood that the various actors may resort to other measures – including among other things litigation activity — to try to advance their agendas.
These developments relating to cybersecurity and climate change related disclosure suggest a number of observations:
- Cybersecurity and climate change-related disclosure are likely to continue to be areas of regulatory interest and scrutiny;
- Norms for cybersecurity and climate change-related disclosure seem likely to continue to develop and evolve;
- From a risk management perspective, cybersecurity and climate change-related risk factor disclosures are areas on which companies should be focused;
- Issues pertaining to cybersecurity and climate change related disclosure seem likely to continue to present the possibility of regulatory enforcement activity and of related civil litigation activity as well.
From a D&O insurance perspective, it seems that likely that cybersecurity and climate change-related disclosures will be increasingly important areas of scrutiny, for risk selection and risk segmentation purposes.