The Risk of Cybersecurity AttacksWith annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe -- the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next “Target” for a serious cybersecurity incident, together with the range of negative consequences that typically follows, including negative publicity, reputational damage that adversely affects customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations -- and falling stock prices. In the wake of its high-profile data breach, Target’s directors and officers were recently hit on January 29, 2014 with a shareholder derivative action alleging that “Target shares were trading above $63.50 on December 18, 2013 before the news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has suffered considerable damage from breach.”
In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that negatively impacts the company’s stock price -- or, at a minimum, may mitigate a company’s potential exposure in the event of such litigation.
The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures, and below we offer five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures.
SEC Disclosure GuidanceBy way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber incidents,” the SEC issued cybersecurity disclosure guidance, which advises companies to review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.
While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. The guidance states in this regard that a number of disclosure requirements may impose an obligation on registrants to disclose cybersecurity risks and incidents. In addition, the guidance explains that material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.
SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure obligations in response to an April 9, 2013 letter received from Senate Commerce Chairman Jay Rockefeller. In his letter, Chairman Rockefeller urged the SEC to “elevate [its] guidance,” noting that “[i]nvestors deserve to know whether companies are effectively addressing their cybersecurity risks.” In response, Chairwoman White emphasized that “[e]xisting disclosure requirements … impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material” and that “cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations.” Chairwoman White also highlighted that cybersecurity risk “is a very important issue that is of increasing concern” and stated that the SEC “continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity.”
In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following:
Although the guidance does not create new cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that negatively impacts a company’s stock price.
The Five TipsThe following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments issued to approximately 55 companies over the last two years.
Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company’s risk factor disclosure be expanded to state generally that the company has been the victim of hacking -- regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form):
In addition, the SEC’s guidance advises that companies may need to disclose known or threatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be impacted by a cybersecurity incident -- even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures:
Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.
 Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.
 The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”
 SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
 The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51
 Chairman White’s May 1, 2013 letter is available at http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White.pdf
 While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”
 The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.
 Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013), available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/
 Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available athttp://www.klgates.com/before-becoming-the-next-target--recent-case-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm’s clients.