IAPP Global Privacy Summit 2014 The SEC and Cybersecurity: What Every Publicly Traded Company Must Know

Similar documents
LexisNexis Emerging Issues Analysis

Increased Regulatory Focus on Cybersecurity Underscores Need for Public Companies to Review Cybersecurity-Related Disclosures

Cyber Risks Connect With Directors and Officers

Litigating Privacy, Data Breach and Cybersecurity Issues in 2014: The SEC View on Disclosure Obligations

SEC Convenes Cybersecurity Roundtable: Highlights Importance of Cybersecurity for Public Companies and Financial Market Participants

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Gus P. Coldebella Partner, Goodwin Procter LLP Former General Counsel, Dept. of Homeland Security. What are we going to talk about today?

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Cybersecurity Risk Factors: Five Tips to Consider When Any Public Company Might be The Next Target

Cyber Security for the Private Sector: What Companies and Their Lawyers Need to Know

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Cyber Insurance Presentation

Cybersecurity y Managing g the Risks

OCIE CYBERSECURITY INITIATIVE

GUIDANCE FOR MANAGING THIRD-PARTY RISK

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Managing Cyber Risk through Insurance

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Mitigating and managing cyber risk: ten issues to consider

How To Protect Your Cybersecurity From Cyber Incidents

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

PRIORITIZING CYBERSECURITY

HOW DID NETWORK SECURITY AND PRIVACY ISSUES BECOME D&O EXPOSURES?

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Defining the Gap: The Cybersecurity Governance Study

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

Risk Management of Outsourced Technology Services. November 28, 2000

IDENTIFYING AND RESPONDING TO DATA BREACHES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Attachment A. Identification of Risks/Cybersecurity Governance

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

INFORMATION SECURITY CYBER LIABILITY RISK MANAGEMENT. October Sponsored by:

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Public Law th Congress An Act

SEC Cybersecurity Findings May Establish De Facto Standard

Cyber Risk, Legal And Regulatory Issues, And Insurance Mitigation ISACA Pittsburgh Information Security Awareness Day

Cyber Insurance: How to Investigate the Right Coverage for Your Company

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

A Roadmap to Accrual and Disclosure Requirements under ASC 450

Cybersecurity. Shamoil T. Shipchandler Partner, Bracewell & Giuliani LLP

CYBER RISK SECURITY, NETWORK & PRIVACY

NCUA LETTER TO CREDIT UNIONS

J.H. ELLWOOD & ASSOCIATES, INC. 33 West Monroe, Suite 1850 Chicago, IL (312)

Insuring Innovation. CyberFirst Coverage for Technology Companies

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

YEARENDED31DECEMBER2013 RISKMANAGEMENTDISCLOSURES

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Corporate Governance Statement

PROPOSED INTERPRETIVE NOTICE

COMPETITION TRIGGERS BATTLE FOR TALENT AND ACQUISITIONS

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

DATA SECURITY AGREEMENT. Addendum # to Contract #

Anatomy of a Hotel Breach

As with most things, insurance should be

Cyber Security for audit committees

CYBERSECURITY EXAMINATION SWEEP SUMMARY

OCC 98-3 OCC BULLETIN

Cyber Risks in Italian market

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

How To Set Up A Committee To Check On Cit

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Cyber and data Policy wording

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Statement of Guidance: Outsourcing All Regulated Entities

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Cybersecurity and Insurance Companies

The Intersection of 21st Century Risk Management and Data: Risk Allocation and Mitigation for Customer Data Breaches

Protecting Your Assets: How To Safeguard Your Fund Against Cyber Security Attacks

Legislative Language

Standard: Information Security Incident Management

What are you trying to secure against Cyber Attack?

Utica College. Information Security Plan

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

AMPLIFY SNACK BRANDS, INC. AUDIT COMMITTEE CHARTER. Adopted June 25, 2015

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

LEUCADIA NATIONAL CORPORATION AUDIT COMMITTEE CHARTER

Cybercrime: risks, penalties and prevention

OECD PROJECT ON CYBER RISK INSURANCE

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

Vendor Management. Outsourcing Technology Services

TITLE III INFORMATION SECURITY

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Cybersecurity and internal audit. August 15, 2014

CYBER BRIEF A SEMI-ANNUAL PUBLICATION FROM YOUR WNA FINEX CLAIM & LEGAL GROUP

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Transcription:

IAPP Global Privacy Summit 2014 The SEC and Cybersecurity: What Every Publicly Traded Company Must Know Moderator: Elaine Wolff, Partner Corporate Finance and Securities Practice, Jenner & Block Mary Ellen Callahan, Chair of Privacy and Information Governance Practice, Jenner & Block Nicole Maddrey, Vice President, Deputy General Counsel & Assistant Secretary Graham Holdings Tangela Richter, General Counsel Direct Bank and Brokerage, Capital One

Intro SEC is going to be taking a fresh look at the required disclosure related to cybersecurity April 2013 US Senate Commerce Committee Chairman Jay Rockefeller asked the SEC to consider releasing more formal guidance the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies cybersecurity practices. May 2013 Chair White s response indicating Staff review program since 2012 and current evaluation of disclosures SEC plans to continuously review cybersecurity policies in 2014, starting with focus on asset managers SEC Cybersecurity Roundtable to be held March 26 2

SEC Disclosure Guidance: Topic No. 2 On October 31, 2011, the SEC issued guidance regarding cybersecurity risk and incident disclosure obligations Overview Disclosure obligations that might require disclosure about cybersecurity Risk Factors MD&A Description of Business Legal Proceedings Financial Statement Disclosures Disclosure Controls and Procedures 3

SEC Disclosure Guidance (continued) Significant costs of cyber attacks Remediation costs, including liability for stolen assets or information, system repair costs, and costs of customer or business partner incentives Increased cybersecurity protection costs Lost revenues Litigation Reputational damage Bottom Line: Public companies should include specific rather than generic disclosure of the nature of each cybersecurity risk and how it might affect the company 4

SEC Disclosure Guidance Risk Factors Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Take all relevant information into account Probability of cyber incidents Quantitative and qualitative magnitude of the risks Potential costs and other consequences Adequacy of preventative actions taken to reduce cybersecurity risks Threatened attacks of which the company is aware 5

SEC Disclosure Guidance Risk Factors Adequately describe the nature of the material risks and specify how each risk affects the registrant **Do not provide generic risk factor disclosure** May need to disclose known or threatened cyber incidents Need not make disclosure that would compromise the registrant s cybersecurity 6

SEC Disclosure Guidance Risk Factors Appropriate Disclosure May Include: Discussion of aspects of business or operations that give rise to material cybersecurity risks and the potential costs Description of outsourced functions with material risks and how those risks are addressed Description of material (in the aggregate or individually) cyber attacks as well as their costs and consequences Risks related to cybersecurity that may remain undetected Description of relevant insurance coverage 7

SEC Disclosure Guidance Other Sections MD&A Include risks and incidents if costs or other consequences represent a material event, trend, or uncertainty reasonably likely to have a material effect on results of operations, liquidity, or financial condition Description of Business Provide disclosure if cyber incident(s) materially affect products, services, relationships with customers or suppliers, or competitive conditions Material Pending Legal Proceedings 8

SEC Disclosure Guidance Other Sections Financial Statement Disclosure Costs incurred to prevent cyber incidents Costs incurred to mitigate damages from a cyber incident Losses from asserted and unasserted claims Diminished future cash flows Impairment of assets Forward Looking Statements Disclosure Effectiveness of Disclosure Controls and Procedures 9

Best Practices Risk Factors 1. Disclose any specific (material) cybersecurity breaches that have occurred and explain how the company has dealt with them - Note: If a breach is deemed non-material by a company, the company may still receive a comment from the SEC asking for an explanation of why it was not considered material - Include the source of any cybersecurity attacks - Disclose any instances where a third party brought the incident to the company s attention 2. Include cybersecurity risks under their own separate, stand-alone category heading 10

Best Practices Risk Factors (cont.) Provide the specific reason(s) why cybersecurity risk could be material In the ordinary course of our business, we collect and store sensitive data, including intellectual property, our proprietary business information and that of our customers, suppliers and business partners, and personally identifiable information of our customers and employees, in our data centers and on our networks Learning Tree International, Inc. 10-K filed 12/12/2013 We rely heavily on communications and information systems to conduct our business.... In addition, our operations rely on the secure processing, storage and transmission of confidential and other information on our computer systems and networks. First Savings Financial Group 10-K filed 12/30/2013 11

Best Practices Risk Factors (cont.) Include the specific types of cybersecurity risks the company may face Cyber incidents can include, but are not limited to, gaining unauthorized access to digital systems for purposes for misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Atkore International Holdings Inc. 10-K filed 12/11/2013 Systems failures could be caused by internal or external events, such as incursions by intruders or hackers, computer viruses, failures in hardware or software, power fluctuations or cyber terrorists. Key Technology, Inc. 10-K filed 12/10/2012 12

Best Practices Risk Factors (cont.) Lay out the potential consequences from a cybersecurity breach A cyber-attack... may lead to a material disruption of [the company s] IT business systems and/or the loss of business information resulting in an adverse business impact. Risks may include: * Negative impact on future results due to the theft, destruction, loss, misappropriation, or release of confidential data or intellectual property; * Operational or business delays resulting from the disruption of IT systems and subsequent clean-up and mitigation activities; and *Negative publicity resulting in reputation or brand damage with customers, partners, or industry peers. Innovative Solutions 10-K filed 12/30/2013 Good Practice: tailor the discussion of costs of cyber attacks that the SEC identified in its disclosure guidance to the specific business and industry of the company Indicate whether the company has taken steps to prevent cybersecurity breaches, including any insurance coverage 13

Best Practices Management s Discussion and Analysis (MD&A) MD&A disclosure of material cybersecurity breaches should be included if it represents a material event, trend or uncertainty Information may be included in the Executive Overview and Results of Operations sections What to include Details of the breach (what? when? how?) Company actions to limit damages and estimated costs of such actions Estimate of losses (current and estimated future losses) Any litigation and actual or potential liabilities Any other information specific to the experienced breach that is relevant to MD&A 14

Best Practices 8-K Filings Necessity of filing a Form 8-K upon discovering a cybersecurity breach Target/ Neiman Marcus approaches Always needed where the company selectively discloses such information to certain individuals, Regulation FD may require public disclosure Options for 8-K filings Item 8.01: Other Events Several companies have filed Form 8-K to notify shareholders that they have put out a press release announcing a cybersecurity breach Item 7.01: Regulation FD Disclosure When Regulation FD applies, disclose the information publicly through either Item 7.01 or Item 8.01 15

Common SEC Comments 1. Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary.... Please refer to the Division of Corporation Finance s Disclosure Guidance Topic No. 2. 2. We note your disclosure regarding [a security breach]. In future filings please disclose in this section and in the Liquidity and Capital Resources section, if any preventative measures have been taken to reduce the risks of future cyber-attacks and if the costs associated... are reasonably likely to have a material effect on your results of operations, liquidity and financial condition. 3. Please include appropriate risk factor disclosure regarding the online nature of your business, with particular attention to the cyber-security issues and web server maintenance. 4. [I]n future filings, please expand this risk factor to disclose that you have experienced cyber attacks and breaches. 16

Board and Audit Committee Role in Oversight and Risk Management Boards of Directors/Audit committee duties How to more effectively address the risk: Make cyber risk education mandatory for directors Ensure that board members understand their company s cybersecurity risk profile and steps taken to address the risks Consider Board candidates with expertise in IT Create a Board-level reporting system giving directors timely and usable information about cybersecurity risk Audit committees should ask for benchmarks from specific security programs 17

Questions 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information