With the Securities and Exchange Commission’s attention again returning to cybersecurity issues, many registrants are recalling the Commission’s intense focus on “Year 2000” issues over a decade ago.
Commissioner Luis Aguilar, in remarks at the SEC’s cybersecurity roundtable held on March 26, 2014, made a special point of discussing the SEC’s growing concerns about cybersecurity and observed that cyber-attacks have wide-ranging and potentially devastating effects on the economy, individual consumers and on markets and investors. In an April 2, 2014 speech, Commissioner Aguilar stated that the SEC’s Office of Compliance Inspections and Examinations will be making cybersecurity an exam priority, warning that the industry should expect that SEC examiners will be reviewing whether asset managers have policies and procedures in place to prevent and detect cyber-attacks and whether they are properly safeguarding their systems against security risks. (See http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf)
These concerns are not limited to those operating in the retail side of the securities markets. All companies subject to reporting obligations under the Securities Exchange Act of 1934 must be aware of how cybersecurity issues should be disclosed. The SEC identified several key areas of potential disclosure in CF Disclosure Guidance: Topic No. 2 (http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm).
The SEC expects registrants to disclose risks related to cyber incidents if those risks make an investment in the company speculative or risky. As with other risk factors, disclosure must be tailored to the registrant’s specific circumstances, and include such matters as areas of business or operations that give rise to material cybersecurity risks, and the potential costs and consequences. Companies that outsource must consider cybersecurity risks related to that aspect of their business and how those risks are addressed, including detection of incidents and potential insurance coverage.
Management’s Discussion and Analysis.
Cybersecurity risks and incidents may result in costs or other consequences that are reportable as a material event, trend or uncertainty that could have a significant impact on a registrant’s operations, financial condition and results. Such disclosure could include the impact of increased expenses for data and system security, or the consequences of theft of valuable intellectual property from a cyber-attack.
Description of Business.
Registrants must disclose any material effects of cyber incidents on products, relationships with business partners, or competitive conditions.
Cyber incidents may result in litigation or government investigations that meet the disclosure requirements of Item 103 of Regulation S-K. In particular, Instruction 2 requires aggregation and disclosure of “any proceeding [that] presents in large degree the same legal and factual issues as other proceedings.” In this way, individual claims related to cyber security incidents may point to a larger disclosure issue - both in terms of meeting the dollar threshold of Item 103 and a failure of internal controls (discussed below) - even if each claim by itself is not material.
Financial Statement Disclosure.
There are many ways cybersecurity risks and incidents may affect a registrant’s financial statements. These include:
- Costs to maintain system and data security and to prevent cyber incidents.
- Costs to remediate the effects of any data breaches (such as customer loyalty or incentive programs, or providing free credit reports).
- Expenses and losses resulting from claims asserted by customers for product returns, breach of warranty, or breach of contract, or claims from counterparties for their own remediation efforts, as well as the costs of regulatory investigations and potential litigation. The financial statements must deal with accrual and/or disclosure for both asserted and threatened claims; and, in addition, cyber incidents are one of the relatively rare instances where unasserted possible claims are so likely and could be so material that they must be dealt with under the loss contingency rubric.
Disclosure Controls and Procedures.
Cyber incidents pose multiple risks to the registrant’s ability to control its own data and other assets and to its ability to accurately record and report information required in SEC filings. This may the most painful disclosure of any listed, because it requires the registrant to at least skirt around the edges of information about vulnerabilities it would not want any hacker to know about.
The SEC’s Disclosure Guidance on cybersecurity did not present mandatory rules for disclosure, but merely guidance. However, given the SEC’s increasing attention to this hot-button issue it is likely that the Commission will be pressing registrants to provide greater attention and detail to these challenges. Privately held companies should also be mindful of the disclosure obligations identified by the SEC when issuing securities in private transactions. We also expect cybersecurity issues to become increasingly prominent in the broader realm of corporate governance as directors are likely to face greater scrutiny under the standards of In re Caremark International, Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996) to assure that the company has adequate information and reporting systems to assure compliance with applicable legal requirements related to data security and privacy.