Even though, in the wake of recent events, cybersecurity is a very hot topic, only 38% of U.S. public companies cite cybersecurity as a risk factor in their annual and quarterly SEC filings, according to a recent study from Intelligize. The study showed that, while only 426 public companies cited cybersecurity as a risk in 2012, that number grew to 1,662 in 2016. However, so far in 2017, the number has been relatively flat at 1,680. But the question remains, how long will that continue?
Intelligize found that most of the companies including cybersecurity as a risk factor were in the financial services and real estate sectors, while in the healthcare sector, which is subject to HIPAA compliance, fewer companies cited cyber as a potential risk—only 190 so far in 2017. Companies noted the increased level and sophistication of cyberattacks and specified as potential consequences financial exposure and reputational and operational disruptions leading to increased costs. One reason that some companies offer for their omission of cyber risks, especially the omission of details, is the fear of tipping off potential hackers. Although, in the past, the study advises, cybersecurity was viewed as principally an IT issue, it is now more often recognized as a potential material risk that could require management and board attention. And increasingly, boards are holding CEOs and other executives responsible for severe data breaches, the study indicates, citing an NYSE survey of 200 corporate directors.
But the confluence of the latest cybersecurity events, together with recent prodding from the SEC, may mean that the relatively low percentage of companies reporting cybersecurity risks is about to change.
In September of this year, SEC Chair Jay Clayton highlighted, as still relevant today, the principles-based Disclosure Guidance that Corp Fin issued in 2011, which was designed to “to help public companies consider how issues related to cybersecurity should be disclosed in their public reports. The staff guidance discusses, among other things, cybersecurity considerations relevant to a company’s risk factors, management’s discussion and analysis of financial condition and results of operation, description of business, discussion of legal proceedings, financial statements, and disclosure controls and procedures…. Accordingly, issuers should consider whether their publicly filed reports adequately disclose information about their risk management governance and cybersecurity risks, in light of developments in their operations and the nature of current and evolving cyber threats. The Commission also will continue to evaluate this guidance in light of the cybersecurity environment and its impacts on issuers and the capital markets generally.” He also emphasized that “[i]ssuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.” (See this PubCo post.)
And it appears that the SEC is currently in the process of reviewing Corp Fin’s 2011 guidance. At the 2017 PLI Securities Regulation Institute, Corp Fin Director William Hinman remarked that, on reviewing the 2011 guidance on cybersecurity disclosure initially, Hinman believed that the guidance, which is principles-based, still worked effectively. But with cybersecurity now so omnipresent in the media, he expects new guidance probably at the SEC level. New guidance will likely address disclosure controls and escalation procedures for cyber events. Because it may be hard to determine the significance of attacks initially, the controls should require the IT and business folks to promptly consider the impact of the event together, with an eye toward the implications for the business. Companies should also consider the impact of potential cyber events on insider trading policies, including a prophylactic policy for officers and directors once it is known that an event has occurred that could be material. (See this PubCo post.)
One group urging the SEC to take further action may be the SEC’s Investor Advisory Committee. At a meeting of the Committee last week, a discussion draft regarding cybersecurity risk disclosure was on the agenda for debate. The draft observed that, in the last three years, over 150 public companies in the U.S. had been subject to “large-scale cyber-attacks,” and that SEC Chair Jay Clayton had expressed his lack of confidence that the investing public really understood these risks. Moreover, according to a study from the NACD, only 19% of corporate directors agreed that their boards have “a high level of understanding” of cyber risks, but a survey by the Harvard Business Review found that only 8% of directors viewed cybersecurity as a “strategic threat.”
When it comes to disclosure of cybersecurity risk, the discussion draft advocates, public companies could and should be doing more:
“Although under the current regulatory regime companies disclose certain risks or loss events associated with cybercrime, such disclosures often appear to be minimal and/or boilerplate, and do not provide investors with sufficient information on the company’s ability to address cybersecurity concerns. The nature of the…past attacks is commonly described in terms so general investors have no ready way of assessing whether those attacks are likely to recur. Given the gravity of risks associated with cyberattacks, investors have a right to know whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight.”
Accordingly, the draft recommends that the SEC “respond to the growing concern over cyberattacks on public companies by enhancing disclosure requirements associated with cybersecurity risks, while respecting the need of companies to not reveal sensitive or proprietary information useful in combating those same risks.”
More specifically, the draft recommends that the SEC require public companies to go beyond the generic by:
- Disclosing in MD&A a more comprehensive description of cybersecurity risks that are specific to each company, including a detailed description of trends and risks to future financial performance.
- Disclosing “specific, non-proprietary and non-sensitive information” about prior cyberattacks, including “summary information derived from root-causes analyses of how the attacks were or were not successful, to clarify the nature and significance of ongoing risks. (We here note and commend the SEC’s own recent disclosures regarding a cyber-attack at the agency as the kind of specific disclosures that provide assurance as to ongoing management and investigation of cyber-risk.)” (See this PubCo post.)
- Providing a “general description of the company’s efforts to minimize cybersecurity risks and its capacity to respond to cyberattacks, including measures taken to elect or appoint special committees, response units, designated officers, or third parties responsible for securing company data and customer information. (We recognize that detailed descriptions of security systems may jeopardize cybersecurity efforts, and we do not advocate rules requiring disclosure of sensitive information. However, we believe that investors have a right to know whether the company has undertaken efforts to protect itself from cybercrime.)” This description might include “efforts to quantify potential risks, the scope and progress of programs of investment of corporate resources aimed at addressing those risks, and discussions of the board and management skills and resources an issuer has to address the risks on an ongoing basis.”
- In the most controversial point, providing information on whether any director “has experience, education, or expertise in cybersecurity, and if not, why a company believes that such board-level resources are not necessary for the company to adequately manage cyber risks. (Again, we recognize that such explanations would not be beneficial if they revealed proprietary or sensitive information that could increase a company’s exposure, but we believe that more information than is currently being provided could be provided without jeopardizing company’s security.)” The author contended that a disclosure obligation to that effect would “increase the level of board awareness and understanding of cyber risks at their own company, encourage boards directly to address cyber risk at least once per year, as part of the annual proxy statement disclosure cycle, and may usefully encourage boards to consider adding cyber expertise to board or senior management.”
In the course of the meeting, some committee members cautioned that the guidance should not include requirements for disclosure that would “invite litigation” viewed from hindsight, and, as a result, create another barrier to going public. In response, the author of the discussion draft explained that it was not his intent that the SEC add new line items, but rather provide additional guidance under the existing disclosure regime. But the recommendation that was most contentious was the recommendation to provide disclosure about board cybersecurity expertise, using essentially a “comply or explain” format. The author contended that, in his view, cybersecurity was analogous to financial statement audit risk in that it is a risk to which all companies are exposed. As result, he maintained, like financial expertise, board cyber expertise was appropriate. Several other committee members took issue with that recommendation, contending that it would “silo” the risk and create a requirement for check-the-box expertise. What’s more, cybersecurity expertise is like “a melting ice cube,” and a director who is an expert now may find that that expertise deteriorates in short order. The author maintained that the disclosure was not intended to create a requirement. (Note, however, that the SEC’s past efforts at “regulation by humiliation” have tended to compel companies to take the action rather than explain to shareholders why they haven’t.) One committee member recommended that companies instead be required to disclose whether adequate expert cybersecurity resources had been made available to the board