One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cybersecurity will become a significant D&O liability issue. Although many D&O practitioners have been bracing for a wave of cybersecurity D&O matters, to date there has been only a trickle. Some have come to believe that at most, there will be a surge of derivative litigation, due to the lack of significant and sustained stock drops on the announcement of even large cybersecurity breaches.
Yet I remain convinced that a wave is coming, perhaps a tidal wave, and it will include not just derivative litigation, but securities class actions and SEC enforcement matters as well. In this post, I will focus on securities class actions, since that is where most of the uncertainty lies, including the question I begged in my previous post on cybersecurity securities class actions: what will trigger securities class actions when, to date, even the largest breaches haven’t caused significant and sustained stock-price drops? Unlike shareholder derivative actions, which do not require a significant stock drop, securities class actions require misrepresentations to cause loss to stock purchasers – loss that materializes upon the disclosure of bad news that causes the stock to drop. Thus, the advent of cybersecurity securities class actions will not occur unless stock prices begin to drop.
So why do I think stock prices will drop? It’s easiest to start to answer that question by thinking about why stock prices generally haven’t dropped to date. I’m not an economist, of course, but I’ve discussed this issue with some and have read and thought about it a lot. I believe that stock prices generally haven’t dropped significantly because the market believes that all companies are susceptible to a cyber-attack, and it’s basically random and unlucky when a company suffers one – it’s Company A this week and Company B next week, and so on. So a breach isn’t fundamental to the company’s business and doesn’t portend future negative financial consequences. That means that the market assesses the cost of the breach as the cost of remedying it through consumer notices, litigation defense and the like – which involves great but manageable and predictable cost, and does not view the breach as a fundamental or long-term problem.
That dynamic is bound to change, for several reasons. First, many companies have improved their cybersecurity and cybersecurity oversight significantly over the past few years. Those that are leaders will begin to tout their leadership, and criticize competitors who have had or may have problems. Cybersecurity thus will become a competitive issue, and the market will begin to pick winners and losers instead of regard as simply unlucky a company that suffered a breach.
Second, as companies begin to tout their cybersecurity for competitive reasons, they will do so through statements that will be susceptible to challenge as false or misleading if they suffer a breach. The most difficult statements to defend in securities class actions often are those based on business braggadocio, and I think cybersecurity statements ultimately will be no different. In terms of stock price impact, such statements will bake strong cybersecurity into companies’ stock prices, leading to disappointment and thus stock drops when a seemingly strong cybersecurity company suffers a breach.
Third, the number of companies that disclose breaches will increase, leading to a larger universe of companies who might suffer stock drops. To date, virtually the only type of companies to disclose breaches are consumer-oriented companies, driven by breach-notification privacy laws. There have been few disclosures of significant breaches by non-consumer companies, whose disclosure decisions are based not on consumer breach-notification laws, but on SEC disclosure requirements.
That will change. The SEC is focused on cybersecurity disclosure, and inevitably will start to more aggressively police disclosure by companies that aren’t compelled to disclose breaches under privacy laws. (Of course, SEC enforcement over cybersecurity disclosures will not require a stock drop.) Also, I predict that whistleblowers from IT departments will start to surface, drawn by increasingly large whistleblower bounties. And auditors will begin to prompt disclosure as they too increase their focus on the financial impact of cybersecurity breaches.
I don’t know if this all means that cybersecurity securities class actions will become the most prominent type of securities class action. I doubt it. But I do think that the risk is high enough that all companies need to pay more attention to their cybersecurity disclosures, and insurers, brokers and risk managers need to be mindful of the inevitable increase of securities class action risk in this area.