In the following guest post, John Cheffers analyzes the data relating to cybersecurity incidents at companies listed on Nasdaq and New York Stock Exchange. John is Associate Counsel and Director of Research at Watchdog Research. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
*******************
Cybersecurity has gone from a niche concern to a hot topic in the D&O insurance world. A cybersecurity breach can be extremely disruptive to any business, but (adding injury to injury) these breaches can also be the source of damaging class action litigation.
At Watchdog Research we analyze information disclosed by public companies, including information on cybersecurity incidents, Securities Class Action lawsuits, and disclosure controls.
The research presented here relates to Nasdaq and NYSE listed public companies and is derived from our report “Cybersecurity Incidents and Litigation: 2021,” by Joseph Burke, PhD, Joseph Yarborough, PhD, and John Cheffers and primarily based on data from Audit Analytics.
Overview
We began by looking at incidents that occurred at companies listed on the NYSE and Nasdaq over the past ten years, and the growth rate of cybersecurity incidents is alarming:
Despite concerns that cybersecurity incidents would increase during the pandemic as businesses moved more of their operations online, total reported cybersecurity incidents fell during 2020. However, through July 2021, there have already been 106 reported cybersecurity incidents, putting 2021 on pace for a record breaking year.
If you segregate the companies by size, you can see that risk is most concentrated for large companies. Large companies, those with a market capitalization of $10 billion or more, are the population most at risk for a cyberattack.
Another interesting development this year is that Ransomware attacks and Unauthorized Access attacks have become much more common in the last few years.
Cybersecurity Securities Class Actions
A cyberbreach at a company creates all sorts of problems, including litigation. Even though the number of cyber security incidents have increased dramatically, the number of cyber-related lawsuits has not followed suit. As we can see here, the probability that a public company is named as a defendant in a cybersecurity related suit has remained very low.
Our review of these cases indicates that it is often difficult for the plaintiffs in these cases to allege specific damages based on a mere breach of information.
Additionally, the fact that a company suffered a cybersecurity breach, even a serious one, will not necessarily prove that the company failed to take reasonable cybersecurity measures (see the dismissal of the suit against Marriott).
Disclosure Controls Concerning IT Issues
Under Section 302 of the Sarbanes Oxley Act of 2002 (SOX), public companies must assess and report on their disclosure controls on their quarterly and annual reports. As part of their SOX 302 assessments, companies have increasingly included discussions of information technology (IT) and cybersecurity issues.
According to Audit Analytics, which gathers and categorizes this information, an IT issue is defined as:
[D]eficient program controls, software programs/implementation, segregation of duties associated with personnel having access to computer accounting or financial reporting records and related problems with oversight/access to electronic data/programs
A disclosure control relating to IT can also be an early warning signal for cybersecurity issues. For example, PayPal has only issued one disclosure control in the last five years, and it was on October 24, 2017 and related to IT issues. On December, 1st, 2017, PayPal revealed that it had suffered a major cybersecurity breach related to their acquisition of TIO. This led to a securities class action suit that was eventually dismissed.
Conclusion
The chance of being involved in a cybersecurity securities class action lawsuit is still relatively low, but it is increasing rapidly. Additionally, the risk profile is far higher for large companies, which are more likely to be a victim of a cybersecurity incident.
Companies are also apparently increasing their scrutiny of their own systems, as the number of companies that have identified IT issues in their disclosure controls has increased significantly over the last decade.
Thankfully, cybersecurity litigation remains relatively rare, despite the increases in attacks. If company boards wish to mitigate their risk of being victimized twice (by hackers and by lawyers), then they need to learn from their successful peers an make wise and strategic decisions.
If you want to learn more about our research or the report this blog is derived from, then please contact jcheffers@watchdogresearch.com.