Cybersecurity may be the SEC’s newest area for enforcement actions. While the SEC first released Disclosure Guidance concerning cybersecurity in 2011, the recent media attention surrounding significant cybersecurity breaches at a number of U.S. companies may cause the SEC to renew interest in the issue, and may result in enforcement actions, as well as shareholder class actions and derivative lawsuits. Companies that fail to disclose cybersecurity events in their public filings may find themselves on the wrong end of an SEC investigation and enforcement action.
Companies may also see an increase in class actions where there is a significant stock drop following disclosure of a cybersecurity breach—however, to date, there is little evidence to suggest the market reacts in a negative way following disclosure of a cybersecurity breach, leaving questions about whether plaintiffs could prove materiality and causation in a securities fraud case. Finally, increased focus on cybersecurity disclosures may result in an increase in shareholder derivative actions against officers and directors, with shareholders alleging that the company breached their fiduciary duties by failing to ensure adequate security measures.
The 2011 SEC guidance included instructions for how companies might consider disclosing cybersecurity risks. In particular, the SEC emphasized that companies are not required to present risks that “could apply to any issuer or any offering, and should avoid generic risk factor disclosure.” Instead, the SEC asked that companies focus on cybersecurity risks that are specific to the company’s business or operations, and include description of cyber incidents that the registrant has experienced, including any response to those incidents.
Despite the 2011 guidance, recent media reports suggest that very few companies have disclosed cybersecurity incidents, including actual hacking events.