Cybersecurity Risk Factors: Five Tips to Consider When Any Public Company Might be The Next Target

Transcription

1 10 February 2014 Practice Groups: Capital Markets Insurance Coverage The text of this article was first published by Law360 on February 10, Cybersecurity Risk Factors: Five Tips to Consider When Any Public Company Might be The Next Target By Roberta D. Anderson, Katherine J. Blair The Risk of Cybersecurity Attacks With annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael s, Snapchat, Facebook, Twitter, Adobe -- the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next Target for a serious cybersecurity incident, together with the range of negative consequences that typically follows, including negative publicity, reputational damage that adversely affects customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations -- and falling stock prices. In the wake of its high-profile data breach, Target s directors and officers were just hit on January 29, 2014 with a shareholder derivative action alleging that Target shares were trading above $63.50 on December 18, 2013 before the news of the data breach and have fallen over 10.5% to $57.60 and that Target has suffered considerable damage from breach. 1 In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that negatively impacts the company s stock price -- or, at a minimum, may mitigate a company s potential exposure in the event of such litigation. The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures, and below we offer five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures. SEC Disclosure Guidance By way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference cybersecurity, the SEC s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed more frequent and severe cyber 1 Collier v. Steinhafel et al., No. 0:14-cv (D. Minn.) (filed Jan. 29, 2014), at 76.

2 incidents, the SEC issued cybersecurity disclosure guidance, 2 which advises companies to review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents. 3 While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. The guidance states in this regard that a number of disclosure requirements may impose an obligation on registrants to disclose cybersecurity risks and incidents. In addition, the guidance explains that material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. SEC Chairwoman Mary Jo White reaffirmed a company s current cybersecurity disclosure obligations in response to an April 9, 2013 letter received from Senate Commerce Chairman Jay Rockefeller. 4 In his letter, Chairman Rockefeller urged the SEC to elevate [its] guidance, noting that [i]nvestors deserve to know whether companies are effectively addressing their cybersecurity risks. In response, Chairwoman White emphasized that [e]xisting disclosure requirements impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material and that cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations. 5 Chairwoman White also highlighted that cybersecurity risk is a very important issue that is of increasing concern and stated that the SEC continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity. In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following: Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks; Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences; Risks related to cyber incidents that may remain undetected for an extended period; and 2 The guidance defines cybersecurity as body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access. 3 SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at 4 The April 9, 2013 letter is available at 5 Chairman White s May 1, 2013 letter is available at pdf 2

3 Description of relevant insurance coverage.6 Although the guidance does not create new cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that negatively impacts a company s stock price. The Five Tips The following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC s disclosure guidance as well as comments issued to approximately 55 companies over the last two years. 1. Perform A Cybersecurity Risk Assessment. The SEC staff states in its guidance that it expects companies to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents as well as the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware. To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company s business. In addition to positioning the company to provide adequate cybersecurity risk factor disclosures, the undertaking of a risk assessment is consistent with the National Institute of Standards and Technology s recently released Preliminary Cybersecurity Framework, 7 which, at a high level, provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices and to identify gaps that should be addressed in order to progress towards a desired target state of cybersecurity risk management. 8 Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management. 2. Consider Disclosing Prior -- And Potential -- Breaches. To the extent a company or one of its subsidiaries has suffered a reported or known cybersecurity event, the company should anticipate that the SEC may issue a comment letter if the event is not disclosed. The following comments are typical of what a company might expect to see: We note that [your subsidiary] announced on its website that a cyber attack occurred during which millions of user accounts were compromised. Please tell us what consideration you gave to including expanded disclosure consistent with 6 While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be appropriate in other areas of a company s filings, including management s discussion and analysis if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. 7 The Cybersecurity Framework, available at 8 Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013), available at 3

4 the guidance provided by the Division of Corporation Finance's Disclosure Guidance Topic No. 2. We have read several reports of various cyber attacks directed at the company. If, in fact, you have experienced cyber attacks, security breaches, or other similar events in the past, please state that fact in order to provide the proper context for your risk factor disclosure. Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company s risk factor disclosure be expanded to state generally that the company has been the victim of hacking -- regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form): We note your response that the incident did not have a material impact on the company s business. In order to place the risks described in this risk factor in appropriate context, in future filings please expand this risk factor to disclose that you have experienced cyber attacks and breaches. You state that you have not experienced a material breach of cybersecurity. Your response does not appear to address whether you are experiencing any potential current business risks concerning cybersecurity. For example, despite the fact you believe you have not experienced a material breach of your cybersecurity, are you currently experiencing attacks or threats to your systems? If you have experienced attacks in the past, please expand your risk factor in the future to state that. We note that your response suggests that you have, in fact, experienced thirdparty breaches of your computer systems that did not have a material adverse effect on the Company s operations. In order to place the risks described in your current risk factor in appropriate context, in future filings please expand your disclosure to state that you have experienced cyber attacks and breaches. In addition, the SEC s guidance advises that companies may need to disclose known or threatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be impacted by a cybersecurity incident -- even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures: We note press reports that hotels and resorts are increasingly becoming a target of cyber attacks. Please provide risk factor disclosure describing the cybersecurity risks that you face. If you have experienced any cyber attacks in the past, please state that fact in the new risk factor in order to provide the proper context. Given that other companies in your industry have actually encountered such risks from cyber attacks, such as attempts by third parties to gain access to your systems for purposes of acquiring your confidential information or intellectual 4

5 property, including personally identifiable information that may be in your possession, or to interrupt your systems or otherwise try to cause harm to your business and operations and have disclosed that such risks may be material to their business and operations, please tell us what consideration you gave to including disclosure related to cybersecurity risks or cyber incidents. We note that the incidences of cyber attacks, including upon financial institution or their service providers, have increased over the past year. In future filings, please provide risk factor disclosure describing the cybersecurity risks that you face. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks in order to provide the proper context for your risk factor disclosure. 3. Be Specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure. Companies that offer generally applicable statements may expect to receive comments such as the following: You state that Like other companies, our information technology systems may be vulnerable to a variety of interruptions, as a result of updating our SAP platform or due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers, and other security issues. Please tell us whether any such events relating to your cybersecurity have occurred in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosure. We note that you disclose that you may be vulnerable to breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events. Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosures. 4. Remember That A Vulnerability Road Map Is Not Required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company s cybersecurity. At the outset of its guidance, the SEC staff states that it is mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a road map for those who seek to infiltrate a company s network security -- and that disclosures of that nature are not required under the federal securities laws. The SEC guidance later reiterates that the federal securities laws do not require disclosure that itself would compromise a company s cybersecurity. 5

6 5. Consider Insurance. Network security alone cannot entirely address the issue of cybersecurity risk; no firewall is unbreachable, and no security system is impenetrable. Insurance can play a vital role in a company s overall strategy to address, mitigate, and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC s guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing cyber and data privacy-related insurance products, which can be extremely valuable. 9 In the wake of a data breach such as the recent Target breach, for example, a solid cyber insurance policy may cover not only liability arising out of potential litigation, such as defense costs, settlements, and judgments, but also breach notification costs and other crisis management expenses, including forensic investigation, credit monitoring, call centers, and public relations efforts as well as potential regulatory investigations, fines, and penalties. Recent SEC comments have requested information regarding both whether the company has obtained relevant insurance coverage as well as the amount of the company s cyber liability insurance. Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident. 9 Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at 6

7 Authors: Roberta D. Anderson Katherine J. Blair Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the Middle East and South America and represents leading global corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer K&L Gates LLP. All Rights Reserved. 7