Recent high profile data breaches, corporate economic espionage cases and government reports detailing the threat posed by foreign economic espionage in cyberspace have generated more focus on the risks posed by cyber incidents and whether corporations are doing enough to protect their computer systems and intellectual property. Despite this, and prior to newly released guidance from the Division of Corporation Finance of the Securities and Exchange Commission, there were no guidelines as to when a corporation should publicly disclose the loss of confidential information or disruption to a system caused by a cyber incident even when the incident caused financial losses.
Indeed, it was widely assumed that many companies did not report such incidents for fear of damaging their reputation with investors, customers, and their employees, and highlighting their vulnerabilities. Now, however, corporations and their managers should seriously consider whether to follow the recently released guidance from the SEC on the disclosure of cyber incidents.
Corporations should also use this opportunity to review their insurance coverage of losses due to cyber incidents, especially since the SEC has identified the extent and amount of insurance coverage as a risk factor.
Cyber incidents can be intentional or unintentional. Intentional attacks can consist of attempts to bring down the computer system for malicious reasons or to gain access to steal confidential and proprietary information, such as customers’ credit card information or invaluable trade secret information. As to the latter, a recent government report highlighted the risk of economic espionage committed by foreign governments, agents and companies against U.S. corporations using the opportunities provided by cyberspace. (Click here to view report).
The report noted that foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets. The proliferation of malicious software, prevalence of cyber tool sharing, use of hackers as proxies, and routing of operations through third countries make it difficult to identify the responsible party.
The report concluded that because the United States is a leader in the development of new technologies and is a central player in global finance and trade networks, foreign attempts to collect technological and economic information from U.S. corporation will continue at a high level and will represent to the financial being to U.S. companies and to the economy of the United States as a whole.
On October 13, 2011, the Division of Corporation Finance of the SEC issued a Guidance to address the increased risks of registrants associated with cyber security and cyber incidents. (Click here to view Guidance). According to the Guidance, federal securities laws are intended, in part, to elicit “disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”
The Guidance warned that “[a]lthough no existing disclosure requirement explicitly refers to cyber security risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents” and that such material information is required to be disclosed “when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” The SEC stated, “as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents.”
The Guidance indicated that the SEC expected registrants to disclose the risk of cyber incidents where cyber incident “risk factors” are among the most “significant factors” that would make an investment in the company speculative or risky. The factors include the severity and frequency of prior cyber security incidents, the likelihood of future incidents, the quantitative and qualitative magnitude of those risks, and the adequacy of preventive actions taken to reduce cyber security risks particularly in the context of the registrant’s industry.
Where disclosure is appropriate, the Guidance suggests that a number of key subjects should be provided in the disclosure, including the potential costs and consequences to the registrant of the material cyber security risks, the number and severity of previous cyber incidents, and the existence of relevant insurance coverage.
The SEC’s specific reference to insurance coverage as an appropriate subject for disclosure combined with a greater focus on the risk posed by a cyber incident is likely to cause a similar increased focus on a company’s use of insurance to mitigate risk. Responsible managers should carefully review existing policies to determine if suitable coverage already exists. Officials should be aware that in the past several years insurance companies have begun to market specific computer policies that may provide first and third-party coverage for losses associated with cyber incidents, such as costs for data restoration, crisis response, privacy notification and forensic investigation, as well as defense and indemnification arising out of cyber incidents, and business interruption.
The Guidance next provides that where the costs or other consequences associated with one or more known cyber incidents or the risk of potential cyber incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the registrants operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or operating condition, the registrant should disclose the cybersecurity risks in the registrant’s Management’s Discussion and Analysis of Financial Condition (MD&A). The SEC provides, as an example of cyber incident requiring disclosure, the theft of material intellectual property.
The Guidance indicates that the registrant may need to report a cyber incident where it would “materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions.” As an example, the SEC states “if a registrant has a new product in development and learns of a cyber incident that could material impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.”
Next, according to the SEC, where the registrant is a party to a legal proceeding involving a cyber incident, the registrant may need to disclose information regarding the litigation in its “Legal Proceedings” disclosure. The Guidance also states that because cyber security risks and cyber incidents may have a broad impact in a registrant’s financial statements, depending on the nature and severity of the potential or actual incident, they may have to be reported in financial statement disclosures.
Finally, to the extent that cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, the registrant should disclose its conclusions on the effectiveness of disclosure controls and procedures. “For example, if it is reasonably possible that information would be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls and procedures are ineffective.”
While the Guidance leaves the inclusion of cyber-security risks to the individual company, companies should carefully evaluate the unique risks posed by a computer breach. For example, companies that handle and store large amount of personal data, need to especially aware of the risks posed by a cyber security breach. Such companies should consider disclosing that a successful attack could result in its reputation being damaged, potential lost business, and fines due to non-compliance with privacy laws. In addition, such companies may also want to disclose in a 10-K, not only the risks posed by a breach of cyber security, but that a security breach due to cyber attacks that leads to misuse of customer information could compel the company to comply with “disparate breach notification laws in various jurisdictions.”
Companies in the healthcare industry, which store sensitive patient information regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also must face increased cyber security risks. Such companies should consider, for example, stating that if patient data is improperly accessed it may face sanctions or criminal prosecution if it were to be found in violation of privacy rules under HIPAA.
When a company is actually the victim of a computer attack, the company may be required to disclose the incident, its impact on operations and what steps have been undertaken to prevent a future problem. A company should disclose, for example, that a computer security breach disrupted normal business operations and it cost a lot of money to remedy.
The number and severity of cyber incidents is not likely to diminish in the near future. Public corporations have a duty to their shareholders to protect themselves or face the financial, legal and reputational harm that a computer security breach would cause. Sound corporate governance practices should also include disclosure of the risks posed by breaches of cyber security.