A study by three Creighton University professors concludes that company disclosures relating to cybersecurity risk are associated with significant declines in the company’s share price. Reviewing the response to the SEC’s 2011 guidance on disclosure regarding cybersecurity and cyber incidents, they find that few companies have chosen to make risk disclosures prior to the occurrence of a cyber breach and that those they do make disclosure suffer a decline in market price. Meanwhile, an SEC staff member has warned that companies that fail to disclose cyber breaches may face enforcement action.
In "SEC Cybersecurity Guidelines: Insights into the Utility of Risk Factor Disclosures for Investors," Edward A. Morse, Vasant Raval, John R. Wingender reviewed how companies have responded to the SEC Division of Corporation Finance’s 2011 guidance entitled “Cybersecurity.” The 2011 guidance states, in part, that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” It directs companies to avoid boilerplate or standardized disclosures: “Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.” As to MD&A disclosure, the guidance states that “Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” Therefore, while the guidance leaves considerable room for judgment regarding whether to make disclosure, it requires specificity if disclosure is made.
The Creighton study (which considers pre-incident risk disclosure) reaches the following conclusions:
- “Firms seem to have responded cautiously to the SEC’s guidance concerning cybersecurity risks. Despite the pervasive nature of cybersecurity risks across a broad range of industries, only a small percentage of firms potentially affected by such risks have undertaken affirmative risk factor disclosures in response to the guidance. While one might expect that adding yet another item to a list of risks affecting the firm in the annual Form 10-K would not trigger an adverse reaction from the marketplace, our empirical data suggest otherwise.”
- “Firms that disclosed cybersecurity risks were indeed punished by investors. This adverse market reaction suggests that caution was indeed the appropriate response from the firm’s perspective. Although some firms might have concluded that disclosures might provide a favorable outcome from signaling that management was attentive to concerns in the cybersecurity environment, the investor response suggests a different signaling function was operating here.”
- “* * * Those who chose not to disclose may be implying that their cybersecurity efforts are adequate to address the risks that their firms may be facing * * *. Unfortunately for those who do add cybersecurity risk factor disclosures, they may be unintentionally suggesting that they have firm-specific risk. When only some firms respond with disclosure, while others remain silent, the market appears to conclude that a disclosure suggests additional risks. The empirical data here suggest that the market is amenable to that suggestion through sending a negative impact on stock price in response to the firm’s signal.”
While – in the words of the Creighton authors – “Silence is indeed golden – at least from the investor’s perspective”, the SEC enforcement staff may have a somewhat different view, particularly as to post-cyber incident disclosure. According to an article in Law 360, SEC Deputy Enforcement Director Stephanie Avakian warned the audience at the Practicing Law Institute’s February 19 “SEC Speaks” conference that the agency is concerned about situations in which companies experience breaches, but fail to make disclosure of the breach. She suggested that the Commission may bring enforcement actions in that area. "We see a spectrum of cyber awareness and attention and some firms essentially have nothing, so this is something we have to look at." The SEC has not yet brought any cases of this type, and Ms. Avakian recognized that disclosure decisions in this area are not easy, with many variables coming into play. “We understand it may be difficult to assess the nature of a situation, these situations are fluid and core facts can change.”
Comment: The Creighton study provides an interesting insight into market psychology, but may not be a good guide for companies considering cyber risk disclosure. Ms. Avakian’s comments make clear that the enforcement staff is looking at incident disclosure. It may not be a long step for the staff, with the benefit of hindsight, to also ask whether a company that has experienced a breach gave proper pre-breach consideration to the SEC’s cybersecurity guidance. In the wake of a breach which has had clearly material consequences, the staff may want to understand whether the company had sufficient, specific ex-ante information that cyber security was a risk that company should have been disclosed, either as a risk factor or as a known uncertainty in MD&A.