SEC cybersecurity disclosure: a how-to guide

Author: John Crabb | Published: 9 Jul 2018
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

The Securities and Exchange Commission (SEC) announced in April that Altaba, formerly known as Yahoo! Inc, agreed to pay a $35 million penalty ‘to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts’. This was the first instance of the SEC citing the guidance on public company cybersecurity disclosures that it released in February.

The issue of cybersecurity is more relevant than ever for companies and only becoming more significant. So much of business is about data, whether it is on the cloud, mobile applications or the internet of things. As more and more organisations enter into the space of collecting, sharing, using and combining data, the need for cyber-security increases.

For many this is a new concept they have no experience dealing with the privacy issues around the data they are capturing, which leads to serious breaches that have profound effects on customers and investors. 

cyber attack
Cyber attacks are increasingly common in all areas of business

Most companies are subject to some form of cyber intrusions every day, often hundreds of times a day, so the idea that they can prevent all forms of cyber intrusions is aspirational, said Lona Nallengara, partner at Shearman & Sterling. 

“That is just not possible, but from a legal perspective, part of the board’s and management’s oversight responsibility is making sure the right people and technology are in place to be able to detect when it is happening and are able to respond when it does,” he said. “Prevention, detection and then response. Those are the three things that you have to have in place.”

Disclosure Controls

The SEC’s disclosure guidance emphasises the importance of disclosure. According to the regulator, ‘given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion’.

The important thing to do is look at the business and the kinds of risks related to cyber attacks or cyber incidents, and make sure that the right technology and people are in place. Companies can hire consultants or experts to advise on this, but need to be able to ensure they have the technology and the personnel to understand the kind of bespoke and unique risks your system could face.

If a cyber incident happens, it is important that those that are responsible for the disclosure, or at least assessing whether an event requires disclosure, are made aware of it. Most companies have disclosure controls and procedure processes, there is often a committee of financial legal accounting and operational people that participate in these discussions.

Many companies, however, don’t have that direct pipeline between those that are responsible for cyber security observations, instant action and reporting.

The next significant component of applying the guidance, is even if you decide that a cyber-breach is not material to your business that should not be the end of the analysis. There is a need to look at stock risk factor, to ensure if these risk factors are deemed materially misleading by the incident.

“It could still have a negative impact on the business, that is what many risk factors do look like,” said Jerome Tomas, partner at Baker McKenzie. “What the SEC is saying in the guidance is; that if you are aware of a substantial breach and your risk factors, simply say that you might be subject to breaches, then the SEC might very well take the view that that stock language is materially misleading in light of the information that you have about an actual incident.” 

"The SEC might very well take the view that that stock language is materially misleading"

If a company is in the process of selling a business, they must make sure that they are not inaccurately representing the state of play to the buyer, particularly if it is a public to public company deal. This could trigger federal securities laws. On the flipside, the SEC guidance has said - in the context of buying businesses - that public companies need to take into consideration whether an acquisition of those companies brings into play a level of cyber-risk that they don’t otherwise have. 

“It is critical because a number of cases and incidents that I have worked on, that have risen out of the acquired business context,” added Tomas.

Going forward the focus will be on when the right time to disclose is, and whether a company can continue to treat cybersecurity - as the SEC has said - as a material disclosure question. In the event that investors would think material and make an investment decision, one of those factors that they look at is it simply the costs associated, is it reputational, and are there other factors to consider in terms of deciding whether there should be disclosure.

Looking at the guidance and the way the SEC handles disclosure cases, it is likely that there will be more to follow the Yahoo! case. The SEC is going to look at them in the context intentional fraud, is there actual intent or recklessness, or, is this something that might not necessarily be evidence of illegal intent, but more negligence.

“My sense is that this is a one way street towards more enforcement actions, not just by the SEC but by others,” Brian Hengesbaugh, partner at Baker McKenzie. ‘In the broader market place there is going to be more of these differing breach notice requirements and they are going to more significant as time goes on. The tricky part for a company will be having a good procedure process that is within your control to manage the potentially conflicting duties in the midst of the crisis.”

It is also important to prepare a full assessment of all of the places where a breach is possible, or where there can be an incident, but this doesn’t necessarily have to be intentional, it can also be unintentional, said Clarine Nardi Riddle, counsel at Kasowitz Benson Torres. “There are clearly hacktivists and cyber criminals out there, but there can also be unintentional events that nonetheless would require disclosure under the state data breach regulations.”

“Fully understanding the chain of your data, where it goes, who has access to it, how it gets used, is critically important,” she said. “It used to be that the only people who were concerned were in the IT department, but now more and more the company chief executive and key management subcommittees of the full board need to be totally briefed and aware of the policies and procedures to address cyber risk management.”

See also

PRIMER: banks and cybersecurity (part 1)

PRIMER: banks and cybersecurity (part 2)

IFLR cover story: waking up and cracking down