This article is the second in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.
In light of numerous costly security breaches affecting disparate sectors of the American economy, public companies—ranging from merchants like Target Corporation and The Home Depot to technology firms like Adobe Systems, and from entertainment companies like Sony Entertainment to insurers like Anthem Blue Cross, to name a few examples—are under increased pressure to ensure that cyber risks are appropriately evaluated, addressed, and disclosed to investors. Because of the increasing number and cost of data security incidents, the U.S. Securities and Exchange Commission (SEC) has taken an active role in advising public companies on how to appropriately manage and disclose cyber risks. SEC cyber risk guidance to date, outside of advice specific to the financial services industry, relates to: (i) the responsibilities and duties that boards of public companies must bear with regard to cyber risk; and (ii) the manner in which public companies should disclose (when appropriate) the relevant cyber risks in company filings with the SEC.
The Role of the Board of Directors
In his 2014 remarks, “Board of Directors, Corporate Governance, and Cyber-Risks: Sharpening the Focus,” SEC Commissioner Luis A. Aguilar provided a useful framework for boards of directors and the attorneys advising public companies to follow when contemplating cybersecurity matters. As Commissioner Aguilar noted, a board owes broad duties to the corporation, and has a significant role in corporate governance and overseeing risk management, including cyber risks. To Aguilar—and likely the SEC—the board’s role in addressing cyber risk is akin to its role in addressing and managing other material risks to a corporation, whether they are financial, regulatory, or business-related. Thus, although a public company’s management has the primary day-to-day responsibility for managing risks, public company boards of directors must ensure that the company has established appropriate risk management programs and that the company’s management is implementing those programs appropriately.
Despite the obvious need for board involvement in cybersecurity matters, as Commissioner Aguilar noted in his remarks, many boards may be failing to exercise sufficient oversight or failing to devote appropriate energy or resources to address cybersecurity.1 Surveys continue to suggest that, despite the enterprise-level cyber risks facing many public companies, many boards are not undertaking cyber risk oversight actions (including basic measures, such as reviewing annual budgets for privacy and IT security programs, assigning managerial responsibilities relating to security, or receiving reports of IT risks).2 Taking corrective action on this “low-hanging fruit” could go a long way in reducing the quotidian cybersecurity risks facing public companies.
Beyond staying minimally informed and setting appropriate budgets, boards can take (and many have taken) more focused measures to address cybersecurity risks. Boards that may lack the requisite expertise to determine whether a company’s management is appropriately addressing cybersecurity matters (as opposed to, for instance, financial controls required under Sarbanes-Oxley, with which a board may have greater familiarity and knowledge) may benefit from receiving cybersecurity- and privacy-related education. When a company, based on its business or risk profile, is more likely than not to face cybersecurity risks, it may be sensible for the company to ensure that some directors maintain a suitable understanding of the relevant technological issues and risks. Beyond internal education, boards can also take steps to ensure that appropriate cybersecurity audits are conducted on a regular basis. Many boards have gone further and appointed board-level committees that are responsible for privacy and cybersecurity risks—the number of corporations with such specialized risk committees increased from 8 percent to 48 percent between 2008 and 2014.3 Ultimately, as part of the board’s general oversight function, directors should assess the adequacy of their company’s cybersecurity measures, taking into account the company’s cybersecurity risk profile, who within the company’s management has primary responsibility for risk oversight, how the company plans to manage cybersecurity risks, and the company’s insurance coverage for losses and costs resulting from cyberattacks.
Boards must also take appropriate measures to ensure cyber incident preparedness in their companies. Unlike many other crises a public company may face, cyberattacks require near-immediate action: time is of the essence in detecting, analyzing, containing, and responding to system infiltrations or other attacks. Thus, boards should ensure that their companies’ management has developed well-designed, thought-out, and implementable response plans to address cyberattacks. Boards should also ensure that appropriate staff is in place to monitor IT systems and respond to security issues. Evidence suggests that companies that employ full-time chief information security officers (or equivalent positions) who report directly to management were able to detect more security incidents and report lower average financial losses per incident.4 By ensuring that companies have hired the right people, and that those employees have appropriate budgets and plans for managing and responding to risks, boards can play an appropriate role in significantly reducing enterprise risk.5
Boards that fail to pay appropriate attention to cybersecurity matters may face scrutiny, not only from regulators but also from their companies’ investors. Failure by a public company to appropriately address cyberattacks can lead not only to management changes—as seen with Target Corporation and Sony—but also to investor efforts to unseat board members. For example, in the wake of the Target Corporation cyberattack, a prominent proxy advisory firm encouraged the ouster of most of the Target directors in light of their perceived “failure . . . to ensure appropriate management of [the] risks” relating to the cyberattack.6 Likewise, shareholder derivative suits against companies and their officers and directors may be launched in the wake of a cybersecurity incident. For instance, the directors and officers of Target Corporation and Wyndham Hotels have faced derivative litigation in the past year as a result of those companies’ cybersecurity failures.7
Cyber Risks in Public Filings
In October 2011, the SEC Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2 (CF Guidance) that outlined the division’s view of how public companies should discuss cybersecurity matters in their public filings.8 As the division notes, the CF Guidance is “consistent with the relevant disclosure considerations that arise in connection with any business risk,” and that federal securities laws do not require companies to make “detailed disclosures [that] could compromise cybersecurity efforts—for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security.” Appropriate disclosures are required, however, because of the substantial costs and other negative consequences that a public company may suffer, which may include:
- Remediation costs, including potential liability for stolen assets or information and repairing system damage that may have been caused or incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
In large part, these disclosures are required because federal securities laws are “designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”9 Although no securities laws or SEC rules refer explicitly to cybersecurity risks, a number of general disclosure requirements may impose an obligation on registrants to disclose such risks and incidents, and material information regarding cybersecurity risks and cyber incidents must be disclosed when necessary in order to make other required disclosures not misleading.
As a result, every public company should review its public filings on a regular basis to ensure that it is making appropriate disclosures, taking into account various factors relating to the company’s business. Likewise, a company filing for its initial public offering should take the opportunity to reflect on and appropriately disclose cybersecurity matters. Cybersecurity disclosures may be needed for a variety of reasons in several sections of a company’s periodic reporting disclosure or registration statement, including, among others, the following:
Risk Factors. A public company should discuss cybersecurity risks in its risk factors if cybersecurity issues are among the significant factors that make an investment in the company speculative or risky. As with other risk factor disclosures governed under Regulation S-K Item 503(c), cybersecurity risk factors must adequately describe the nature of the material risks and specify how each risk affects the company, and should not include generic risks that could apply to any issuer or any offering. Ideally, cybersecurity risk factor disclosure should include an evaluation of the company’s cybersecurity risks, prior cyberattacks, and likelihood of future attacks, as well as the potential costs associated with cybersecurity risks. In addition, such risk factor disclosure could include: (i) specific discussion of aspects of the company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; (ii) a description of outsourced functions presenting cybersecurity risks (and how the company addresses those risks); (iii) risks related to cybersecurity incidents that may remain undetected for an extended period (if known to the company); and (iv) a description of the company’s relevant insurance coverage or lack thereof. If cybersecurity incidents have affected a company previously, those incidents should inform and be integrated into the company’s disclosures to provide additional context to the disclosure.
MD&A. The SEC corporate finance division has explained that public companies should address cybersecurity risks and cyber incidents in their Management Discussion and Analysis of Financial Condition and Results of Operations (MD&A) if the costs or consequences associated with actual cyberattacks, or the risk of potential cyberattacks, represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity, or financial condition, or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. This could occur if a cyberattack has resulted, or could result, in the loss or exposure of material intellectual property, in which case the effects of this loss or exposure should be described. Similarly, if a cyberattack has resulted in, or could result in, increased costs or reduced revenues, the historical impact and potential outcomes should be discussed. Under the division’s guidance, even material increases in cybersecurity protection costs should be discussed in the MD&A.
Description of Business. If one or more cybersecurity incidents materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company should disclose the effect of the incidents when describing the affected business component.
Legal Proceedings. To the extent a material pending legal proceeding to which a company is a party involves a cybersecurity incident, the company may need to disclose information regarding this litigation in its disclosure of legal proceedings.
Financial Statements. Cybersecurity risks and cybersecurity incidents may have a broad impact on a company’s financial statements, depending on the nature and severity of the potential or actual incident. In attempting to mitigate cybersecurity risks, companies may incur substantial costs for software, audits, training, and other risk mitigation tools. Likewise, if a cybersecurity incident occurs, companies may seek to mitigate damages by providing customers with incentives to maintain business relationships, and may incur losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, payment card network fines, and indemnification of counterparty losses from their remediation efforts. Cybersecurity incidents may also cause diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory. Public companies may not be able to immediately evaluate the impact of a cybersecurity incident and thus may be required to develop estimates to account for the various financial implications. In these cases, companies should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements, and must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. Finally, if a cybersecurity incident is discovered after the balance sheet date but before the issuance of financial statements, companies should consider whether disclosure of a recognized or non-recognized subsequent event is necessary.
Disclosure Controls and Procedures. Public companies are required to provide conclusions on the effectiveness of their disclosure controls and procedures. To the extent cybersecurity incidents pose a risk to interfere with a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, the company’s management should consider whether this may result in any deficiencies in its disclosure controls and procedures that would render them ineffective.
The CF Guidance has ensured that companies continue to expand their disclosures relating to cybersecurity. Following a 2007 data breach that resulted in the theft of approximately 94 million credit and transactional records, TJX Companies, Inc., reported the incident in its Form 10-K filing, but with limited references (in the Introduction, as a Risk Factor, and as a Legal Proceeding). In contrast, later corporate victims of cybersecurity incidents have provided far more expansive disclosures—in some cases, companies suffering cybersecurity incidents have mentioned such incidents more than 200 times in their Forms 10-K.10 Arguably, certain public filings may over-disclose in an effort to diffuse SEC scrutiny; as the CF Guidance makes clear, however, irrelevant or boilerplate disclosures do not satisfy a company’s obligation to provide appropriate disclosures to investors. Every public company—and each company seeking to make public offerings—should take time to evaluate its cybersecurity risks, exposures, and potential costs to ensure that its public filings meet SEC expectations.
1 Although boards are playing an increased role in overseeing cybersecurity matters in their companies, a 2014 survey found that a majority of boards have never discussed engaging an outside security expert, cyber risk disclosures in response to SEC guidance, an actual breach of the company’s security, the company’s cyber insurance coverage, the development of the Department of Homeland Security/National Institute for Standards in Technology (NIST) cybersecurity framework, or the need to designate a chief information security officer. PricewaterhouseCoopers LLP, 2014 Annual Corporate Directors Survey: Trends Shaping Governance and the Board of the Future (PwC Survey), at 32, http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/assets/annual-corporate-directors-survey-full-report-pwc.pdf. Fortunately, the focus on cybersecurity is increasing among directors: the same study found that 65 percent of directors want to increase their boards’ focus on cybersecurity matters. Id. at 6.
2 See, e.g., Steven P. Blonder, “How closely is the board paying attention to cyber risks?” Inside Counsel, April 9, 2014, available at http://www.insidecounsel.com/2014/04/09/how-closely-is-the-board-paying-attention-to-cyber.
3 Deloitte Audit Committee Brief, Cybersecurity and the audit committee (Aug. 2013), at 2, available at http://deloitte.wsj.com/cfo/files/2013/08/ACBrief_August2013.pdf.
4 PricewaterhouseCoopers LLP, The Global State of Information Security Survey 2014, at 4, available at http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml. The PwC Survey also noted that all of the following contributed to improved cybersecurity response results: (i) having an overall cybersecurity strategy; (ii) reviewing the effectiveness of security measures within the past year; and (iii) having an understanding of recent cybersecurity events.
5 This is an area where many boards continue to struggle: According to the 2014 PwC survey, “nearly half of directors have not discussed their company’s crisis response plan in the event of a security breach, and more than two-thirds have not discussed their company’s cybersecurity insurance coverage.” PwC Survey at 8.
6 Paul Ziobro, “Target Shareholders Should Oust Directors, ISS Says,” The Wall St. Journal, May 28, 2014, available at http://online.wsj.com/article/BT-CO-20140528-709863.html.
7 See, e.g., Collier v. Steinhafel, No. 0:14-cv-00266 (D. Minn. Jan. 2014), (alleging failings by Target’s board and top executives); Palkon v. Holmes, No. 2:14-cv-01234 (D.N.J. May 2014) (alleging that, by failing to take adequate steps to safeguard customers’ personal and financial information, Wyndham’s board and top executives caused financial damage to the company).
8 Although the CF Guidance is not a rule, regulation, or statement of the SEC, and the SEC has not approved of its content, the CF Guidance is a strong indication of how the SEC will proceed internally and what it will expect in a public company’s reporting.
9 CF Guidance at n.2.
10 See Heartland Payment Systems 2010 Form 10-K Report, available at http://www.snl.com/IRWebLinkX/file.aspx?IID=4094417&FID=10884340&O=3&OSID=9 (making nearly 250 references to the 2009 hack of its database that compromised approximately 130 million records).