Gus P. Coldebella Partner, Goodwin Procter LLP Former General Counsel, Dept. of Homeland Security. What are we going to talk about today?

Transcription

1 Cyber Security Meets Corporate Securities: The SEC's Authority to Regulate Companies' Cyber Defenses and Corporate Directors' Fiduciary Responsibilities Gus P. Coldebella Partner, Goodwin Procter LLP Former General Counsel, Dept. of Homeland Security 1 What are we going to talk about today? Three things: 1. What the SEC is doing and why 2. The Law of the Boardroom 3. How these things affect (or should affect) what companies do with regard to cybersecurity 2

2 FACT: The SEC has taken the de facto lead in cyber security in the federal government. 3 YOUR PERFECTLY APPROPRIATE RESPONSE: Who cares? 4

3 Why should I care? These are the big ones: The SEC has regulatory authority that includes setting disclosure guidance and rules for public companies If you disagree, the SEC can bring expensive investigations and litigation. The SEC s examination power also allows it to test IAs and BDs for compliance with cybersecurity standards 5 Reasons (Stated and Unstated) That the SEC is In the Driver s Seat The Publicly-Stated Reason: The mission of the U.S. Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. -- The SEC s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information. But it is incumbent on every government agency to be informed on the full range of cybersecurity risks and actively engage to combat those risks in our respective spheres of responsibility. --SEC Chairman Mary Jo White 3/26/14 Cybersecurity Roundtable 6

4 Reasons (Stated and Unstated) That The SEC s In the Driver s Seat Some Unstated Reasons: 1. Congressional Inaction and The Rockefeller Letters 2. Enforcement Through Disclosure No Federal Breach Notification Law? No Problem! 3. Making What Is Voluntary Mandatory No Mandatory NIST Framework? No Problem! 4. The Power of Indirect Regulation 5. Reach and Power of Agency and Consequences of Non- Compliance 7 Why should I care? The big question: Will the SEC help the victim or blame the victim? 8

5 The SEC s Disclosure Guidance Who has to file reports? Are you a reporting company? If you re a public company (i.e., you have a class of securities that is listed on a national securities exchange such as the NYSE or NASDAQ, or you re a company with more than $10 million in assets whose equity securities are held by more than a specified number of holders), then you are. Reporting companies have to file: Annual reports on Form 10-K; Quarterly reports on Form 10-Q; and Current Reports on Form 8-K. 9 The SEC s Disclosure Guidance What needs to be included in periodic reports? There is no blanket requirement that every material fact be included. But certain things must be included under the 34 Act and Regulation S-K, which sets the specific disclosure requirements associated with Form 10-K and other SEC filings. Importantly, nothing related to cybersecurity is included in the 34 Act or Regulation S-K, but 10

6 The SEC s Disclosure Guidance CF Disclosure Guidance: Topic No. 2 (Oct. 2011) What does the SEC expect the registrant to do? Evaluate cyber risks Take into account all relevant information, including Prior cyber incidents, their severity and frequency Probability of cyber risks occurring Qualitative and quantitative magnitude of risks, including potential costs and other consequences No generic disclosure May need to disclose known or threatened attacks to put risks in context 11 The SEC s Disclosure Guidance CF Disclosure Guidance: Topic No. 2 (Oct. 2011) Where should the disclosure be? Two main places: Risk factors and MD&A. Risk factors: If among the most significant factors that make investment in a registrant speculative or risky MD&A: If costs and other consequences of known or potential cyber events represents a material event, trend or uncertainty. Also, in the Description of the Business section, businesses should disclose whether a cybersecurity incident has impaired a product's future viability 12

7 The SEC s Disclosure Guidance What is material? Information presenting a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the total mix of information made available. (TSC Indus. v. Northway, Inc., 426 U.S. 438 (1976)). Silence, absent a duty to disclose, is not misleading[.] (Basic Inc. v. Levinson, 485 U.S. at 239 n.17.) 13 The SEC s Disclosure Guidance Case Studies 14

8 The SEC s Disclosure Guidance Comment Letter Trends 1. Staff seems to think all breaches are material (or at least should be disclosed) 2. Companies should be aware that the SEC will do its own research into companies cybersecurity history 3. Special attention paid to financial-services companies 4. Third-party risk is a key focus So, how is this guidance affecting companies cybersecurity? 15 The SEC s Disclosure Guidance 16

9 Disclosure When A Breach Happens What About When A Breach Happens? In addition to filing annual reports on Form 10-K and quarterly reports on Form 10-Q, public companies must report certain material corporate events on a current basis. Form 8-K is the current report companies must file with the SEC to announce major events that shareholders should know about. Nine sections. Sections 1-7 and 9 call for disclosure when specific things happen (entry into a material agreement, change in accountant, etc.) Cyber breaches are not one of them. But 17 Disclosure When A Breach Happens Form 8-K Item 8.01 Other Events. The registrant can use this Item to report events that are not specifically called for by Form 8-K, that the registrant considers to be of importance to security holders. 18

10 Disclosure When A Breach Happens Form 8-K What did recent breach victims do? 19 Disclosure When A Breach Happens Form 8-K What should companies consider when determining whether to currently report a breach? Materiality Trading Litigation and regulatory enforcement risk Threat (or guarantee!) of discovery Did you say it already? Reg FD. 20

11 Examination of Investment Advisers and Broker-Dealers On April 14, 2014, SEC put out a blueprint for how it will assess cybersecurity preparedness in securities industry OCIE Cybersecurity Initiative Risk Alert 50 BDs and IAs but moved an entire industry 21 Examination of Investment Advisers and Broker-Dealers Risk Alert contains a 7 page assessment with 28 comprehensive questions, including about: information technology asset management information security organization and policies risk assessments access management removable media and data loss prevention encryption incident response planning system and data backup and disaster recovery/business continuity cyber insurance third-party relationships disclosure 22

12 The Law Of The Boardroom: Role of BoD In Cybersecurity Delaware Law 101 What are the Duty of Care and the Duty of Loyalty? Good faith Reasonable basis Ordinary prudent person The Business Judgment Rule and Why Directors Want It To Apply to Them Caremark and Potential Violations of the Duty of Loyalty 23 The Law Of The Boardroom: Role of BoD In Cybersecurity Some Operating Principles for Companies and Boards of Directors 1. You don t have to do it all yourself Reliance on competent people inside and outside of company is OK 2. It is better to act than not to act Caremark. If the company follows the SEC s guidance, it will be ahead of the game 3. This is not one and done Threat is dynamic; information is ever-changing 4. Broaden your view Focusing only on what s required to be disclosed (like PII breaches) is short-sighted 24

13 Conclusions / Lessons Learned Gus Coldebella, Goodwin Procter LLP gcoldebella@goodwinprocter.com 25