As the latest 10-K filing period for corporations draws to a close, the Securities and Exchange Commission (SEC) is expected to intensify its scrutiny on whether companies’ filings adequately disclose both information security breaches that occurred in the past, and the material risks due to cyber threats such companies face in the future. Since the Senate Commerce Committee focused greater attention upon corporate cybersecurity in a letter to the SEC on May 12, 2011, momentum has been building for expanded corporate disclosure of cybersecurity safeguards and security breaches. In October 2011, the SEC issued guidance that publicly traded companies have a duty to disclose “material information regarding cybersecurity risks and cyber incidents” where failure to do so would make other disclosures misleading. Recent developments both inside and outside the SEC show that corporations can expect an even brighter spotlight this year upon their cybersecurity efforts – and shortfalls. Now more than ever, publicly traded companies need to be prepared to address, whether in responses to SEC comment letters or in preparing future filings, what material risks they may have due to cyber threats and whether they have taken steps to address such risks and vulnerabilities.
In its 2013 Examination Priorities, the SEC identified a number of “risk areas” attracting its focus, including enterprise risk management and companies’ “governance and supervision of information technology systems for topics such as operational capability, market access, and information security, including risks of system outages, and data integrity compromises that may adversely affect investor confidence.” These Examination Priorities were published on February 21, 2013, one week after the President issued an Executive Order on improving critical infrastructure cybersecurity, and several days after the release of the Mandiant report, which tied the Chinese military to cyberattacks on over 140 U.S. and other foreign corporations and entities.
The SEC’s guidance to companies focused upon certain factors that may create a material cybersecurity risk and thereby trigger a corporate duty of disclosure. In describing cybersecurity risks, the SEC guidance recognized the impact that cyber attacks and breaches may have upon corporations, including:
- Remediation costs that may include liability for stolen assets or information, repairing system damage, or even incentives offered to customers or other business partners in an effort to maintain business relationships after an attack;
- Increased cybersecurity protection costs that may include deploying additional personnel and protection technologies, engaging third party expertise; and training employees;
- Lost revenues resulting from unauthorized use of proprietary information, or the loss of current or potential customers following an attack;
- Litigation; and
- Reputational damage.
The risks acknowledged in the guidance are borne out by the massive costs that U.S. companies have incurred in recent years as a result of cybertheft. In 2009, President Obama observed that cyber criminals had stolen intellectual property and trade secrets from businesses worldwide with an estimated value of up to $1 trillion. According to a report released by the Department of Justice this month, in the past year a single employee working for an American company was convicted of stealing her employer’s proprietary information that was reportedly worth $400 million. Nor are lesser high-value targets safe: As the Verizon report warned this month, both small and large companies are targets of cyber espionage campaigns. The SEC guidance represents an effort to ensure that companies are forthcoming about these risks with investors and with the general public.
The SEC guidance requires companies to first assess whether a cybersecurity incident or risk is sufficiently “material” to warrant a disclosure, and, second, what information must be included in such a disclosure.
Material risk or incident. The SEC guidance adopts the definition of “material” as presenting “a substantial likelihood that a reasonable investor would consider [the information] important in making an investment decision or if the information would significantly alter the total mix of information made available.” In articulating this standard, the guidance references the Securities Act Rule 402, Exchange Act Rule 12b-20, Exchange Act Rule 14a-9, and the Supreme Court decisions in Basic, Inc. v. Levinson, 485 U.S. 224 (1980); TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438 (1976). In assessing whether a risk or incident is material, the guidance advises companies to consider factors such as prior breaches and the costs incurred, attacks that have been threatened, and the adequacy of actions taken to prevent or mitigate cybersecurity risks in the particular context of the industries in which they operate.
What to include in a disclosure. Referencing generally the Regulation S-K Item 503(c) requirements for disclosing risk factors, the SEC guidance requires companies to describe both the nature of any material risks and describe the effects of each reach. The guidance contains broadly worded categories to indicate that, in assessing their adequacy, the agency will consider whether disclosures:
- Discuss aspects of the company’s business or operations that gave rise to the material cybersecurity risks, as well as potential costs and consequences;
- Describe any outsourced functions with material risks and how the company addresses these risks;
- Describes cyber incidents against a company that are material, either individually or in the aggregate, and the costs and consequences of those incidents;
- Address “risks related to cyber incidents that may remain undetected for an extended period”; and
- Describe what, if any, relevant insurance coverage the company has.
The SEC’s disclosure obligations with respect to risk assessments, security safeguards, and breach reporting, also parallel information security requirements with which companies must comply, such as the Federal Information Security Management Act, the Health Insurance Portability and Accountability Act, and security breach notification laws in various states.
2013 Filings and Beyond:
Since SEC’s guidance in October 2011 and the subsequent updates in February 2013, corporations have had relatively limited experience to apply the guidance and make public disclosures. The 2013 corporate filings submitted at this juncture have generally included very brief, high-level statements that some risk of a cybersecurity breach is present and that, in event of a breach, adverse consequences may result. Very few companies have openly acknowledged being victims of security breaches or cyber attacks – and nearly all have described these incidents as not inflicting any material costs or consequences on the operations of their companies.
A number of open questions in this area remain, including how expansive a view of the term “material” the SEC will adopt, whether it will demand more information about cybersecurity risks from companies within certain industries, and how a company can sufficiently disclose “risks related to cyber incidents that may remain undetected for an extended period.” As the SEC’s Corporate Finance Division issues comment letters requesting companies provide additional information in their 10-K filings, we will continue to look for insights on these issues and assess what this may mean for companies submitting filings on cybersecurity breaches and risks going forward. In addition, these insights will undoubtedly influence conduct and best practices of privately held companies – stay tuned.