As public companies prepare for the New Year and the start of yet another annual reporting season, it is the perfect time to reflect on our 2013 prediction that the SEC would require greater disclosure relating to cybersecurity risks and data breaches. As predicted, the SEC has been quite busy.
Last March, we saw a wave of cybersecurity risk factor disclosure by the nation’s largest banks. In April, we were fortunate enough to learn of the three major types of cybersecurity comments that the SEC had issued straight from the reindeer’s mouth.
Now, as we look back at 2013 and some of the comments that public companies have received, we have come up with five golden rules for avoiding cybersecurity coal in your SEC comment letter in 2014
GOLDEN RULE ONE: EVALUATE – Before being able to properly disclose cybersecurity risk factors, public companies must first evaluate and assess their cybersecurity systems and procedures to better understand where they may be vulnerable to breaches.
GOLDEN RULE TWO: DETERMINE – Once an evaluation is complete and public companies understand their cybersecurity weaknesses, they should then determine the potential risks associated with those weaknesses and the effect that a data breach could have on the business, including whether such a breach would likely be material (hint: the answer is probably yes). Failure to adequately evaluate and determine the extent and likelihood of potential risks could trigger an SEC comment, like this one that Zlato, Inc. received in response to its Form S-1 filing:
“You state that access to your system by intruders or unauthorized users would be an ‘unlikely event.’ Given the risks associated with cybersecurity breaches, please consider revising. We refer you to the Division of Corporation Finance’s CF Disclosure Guidance Topic No. 2: Cybersecurity for additional guidance on this topic. Furthermore, tell uswhat consideration you gave to including risk factor disclosure.” (emphasis added)
GOLDEN RULE THREE: PLAN – In addition to knowing the risks of potential data breaches, public companies should have a plan for preventing cybersecurity risks and mitigating the effects of a potential breach.
GOLDEN RULE FOUR: DISCLOSE – The first three golden rules will be ineffective in preventing SEC cybersecurity comments without taking the next step and actually disclosing in public filings the risks determined in the evaluation, and the scope of the plan. If a tree falls in the forest, and no one is around to hear it……
GOLDEN RULE FIVE: BE SPECIFIC – The fifth, and arguably most important golden rule in avoiding an SEC comment regarding cybersecurity is to be specific. Omitting cybersecurity risk factor disclosure altogether might allow a company to sneak by in a filing or two without receiving an SEC comment. Alternatively, including a cybersecurity risk factor that is vague or boilerplate invites the SEC to comment. By disclosing the risk broadly and making general statements about cybersecurity breaches that a public company may have suffered, the disclosure flags the issue without adequately explaining the company-specific risks and the facts surrounding any actual prior breaches. Part of being specific also means that cybersecurity risk factors should stand alone, and should not be only a piece of a broader risk factor.
State Street Corporation made the mistake of being overly vague in its Form 10-K disclosure. As a result, it received the following comment from the SEC:
“We note that you disclose that you ‘continue to face increasing cyber security threats.’ Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, what consideration you have given to disclosing such events in your risk factors. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.”
By following the five golden rules, public companies can minimize the likelihood of receiving an SEC comment concerning deficiencies in their cybersecurity disclosure, or potentially worse, shareholder lawsuits in the event of a cybersecurity incident, the risks of which were not adequately disclosed.. As shown in the SEC comments cited above, it is also a good idea to read the SEC guidance and/orMintz Levin’s overview of the guidance, to understand the foundation for cybersecurity risk factor disclosure.
And so the chorus goes,
Five Golden Rules
Two California laws (at least…)