IAPP Global Privacy Summit 2014 The SEC and Cybersecurity: What Every Publicly Traded Company Must Know Moderator: Elaine Wolff, Partner Corporate Finance and Securities Practice, Jenner & Block Mary Ellen Callahan, Chair of Privacy and Information Governance Practice, Jenner & Block Nicole Maddrey, Vice President, Deputy General Counsel & Assistant Secretary Graham Holdings Tangela Richter, General Counsel Direct Bank and Brokerage, Capital One
Intro SEC is going to be taking a fresh look at the required disclosure related to cybersecurity April 2013 US Senate Commerce Committee Chairman Jay Rockefeller asked the SEC to consider releasing more formal guidance the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies cybersecurity practices. May 2013 Chair White s response indicating Staff review program since 2012 and current evaluation of disclosures SEC plans to continuously review cybersecurity policies in 2014, starting with focus on asset managers SEC Cybersecurity Roundtable to be held March 26 2
SEC Disclosure Guidance: Topic No. 2 On October 31, 2011, the SEC issued guidance regarding cybersecurity risk and incident disclosure obligations Overview Disclosure obligations that might require disclosure about cybersecurity Risk Factors MD&A Description of Business Legal Proceedings Financial Statement Disclosures Disclosure Controls and Procedures 3
SEC Disclosure Guidance (continued) Significant costs of cyber attacks Remediation costs, including liability for stolen assets or information, system repair costs, and costs of customer or business partner incentives Increased cybersecurity protection costs Lost revenues Litigation Reputational damage Bottom Line: Public companies should include specific rather than generic disclosure of the nature of each cybersecurity risk and how it might affect the company 4
SEC Disclosure Guidance Risk Factors Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Take all relevant information into account Probability of cyber incidents Quantitative and qualitative magnitude of the risks Potential costs and other consequences Adequacy of preventative actions taken to reduce cybersecurity risks Threatened attacks of which the company is aware 5
SEC Disclosure Guidance Risk Factors Adequately describe the nature of the material risks and specify how each risk affects the registrant **Do not provide generic risk factor disclosure** May need to disclose known or threatened cyber incidents Need not make disclosure that would compromise the registrant s cybersecurity 6
SEC Disclosure Guidance Risk Factors Appropriate Disclosure May Include: Discussion of aspects of business or operations that give rise to material cybersecurity risks and the potential costs Description of outsourced functions with material risks and how those risks are addressed Description of material (in the aggregate or individually) cyber attacks as well as their costs and consequences Risks related to cybersecurity that may remain undetected Description of relevant insurance coverage 7
SEC Disclosure Guidance Other Sections MD&A Include risks and incidents if costs or other consequences represent a material event, trend, or uncertainty reasonably likely to have a material effect on results of operations, liquidity, or financial condition Description of Business Provide disclosure if cyber incident(s) materially affect products, services, relationships with customers or suppliers, or competitive conditions Material Pending Legal Proceedings 8
SEC Disclosure Guidance Other Sections Financial Statement Disclosure Costs incurred to prevent cyber incidents Costs incurred to mitigate damages from a cyber incident Losses from asserted and unasserted claims Diminished future cash flows Impairment of assets Forward Looking Statements Disclosure Effectiveness of Disclosure Controls and Procedures 9
Best Practices Risk Factors 1. Disclose any specific (material) cybersecurity breaches that have occurred and explain how the company has dealt with them - Note: If a breach is deemed non-material by a company, the company may still receive a comment from the SEC asking for an explanation of why it was not considered material - Include the source of any cybersecurity attacks - Disclose any instances where a third party brought the incident to the company s attention 2. Include cybersecurity risks under their own separate, stand-alone category heading 10
Best Practices Risk Factors (cont.) Provide the specific reason(s) why cybersecurity risk could be material In the ordinary course of our business, we collect and store sensitive data, including intellectual property, our proprietary business information and that of our customers, suppliers and business partners, and personally identifiable information of our customers and employees, in our data centers and on our networks Learning Tree International, Inc. 10-K filed 12/12/2013 We rely heavily on communications and information systems to conduct our business.... In addition, our operations rely on the secure processing, storage and transmission of confidential and other information on our computer systems and networks. First Savings Financial Group 10-K filed 12/30/2013 11
Best Practices Risk Factors (cont.) Include the specific types of cybersecurity risks the company may face Cyber incidents can include, but are not limited to, gaining unauthorized access to digital systems for purposes for misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Atkore International Holdings Inc. 10-K filed 12/11/2013 Systems failures could be caused by internal or external events, such as incursions by intruders or hackers, computer viruses, failures in hardware or software, power fluctuations or cyber terrorists. Key Technology, Inc. 10-K filed 12/10/2012 12
Best Practices Risk Factors (cont.) Lay out the potential consequences from a cybersecurity breach A cyber-attack... may lead to a material disruption of [the company s] IT business systems and/or the loss of business information resulting in an adverse business impact. Risks may include: * Negative impact on future results due to the theft, destruction, loss, misappropriation, or release of confidential data or intellectual property; * Operational or business delays resulting from the disruption of IT systems and subsequent clean-up and mitigation activities; and *Negative publicity resulting in reputation or brand damage with customers, partners, or industry peers. Innovative Solutions 10-K filed 12/30/2013 Good Practice: tailor the discussion of costs of cyber attacks that the SEC identified in its disclosure guidance to the specific business and industry of the company Indicate whether the company has taken steps to prevent cybersecurity breaches, including any insurance coverage 13
Best Practices Management s Discussion and Analysis (MD&A) MD&A disclosure of material cybersecurity breaches should be included if it represents a material event, trend or uncertainty Information may be included in the Executive Overview and Results of Operations sections What to include Details of the breach (what? when? how?) Company actions to limit damages and estimated costs of such actions Estimate of losses (current and estimated future losses) Any litigation and actual or potential liabilities Any other information specific to the experienced breach that is relevant to MD&A 14
Best Practices 8-K Filings Necessity of filing a Form 8-K upon discovering a cybersecurity breach Target/ Neiman Marcus approaches Always needed where the company selectively discloses such information to certain individuals, Regulation FD may require public disclosure Options for 8-K filings Item 8.01: Other Events Several companies have filed Form 8-K to notify shareholders that they have put out a press release announcing a cybersecurity breach Item 7.01: Regulation FD Disclosure When Regulation FD applies, disclose the information publicly through either Item 7.01 or Item 8.01 15
Common SEC Comments 1. Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary.... Please refer to the Division of Corporation Finance s Disclosure Guidance Topic No. 2. 2. We note your disclosure regarding [a security breach]. In future filings please disclose in this section and in the Liquidity and Capital Resources section, if any preventative measures have been taken to reduce the risks of future cyber-attacks and if the costs associated... are reasonably likely to have a material effect on your results of operations, liquidity and financial condition. 3. Please include appropriate risk factor disclosure regarding the online nature of your business, with particular attention to the cyber-security issues and web server maintenance. 4. [I]n future filings, please expand this risk factor to disclose that you have experienced cyber attacks and breaches. 16
Board and Audit Committee Role in Oversight and Risk Management Boards of Directors/Audit committee duties How to more effectively address the risk: Make cyber risk education mandatory for directors Ensure that board members understand their company s cybersecurity risk profile and steps taken to address the risks Consider Board candidates with expertise in IT Create a Board-level reporting system giving directors timely and usable information about cybersecurity risk Audit committees should ask for benchmarks from specific security programs 17
Questions 18