SEC issues guidance on cybersecurity disclosure
Agency may be setting the stage for enforcement actions
December 31, 2011 at 07:00 PM
6 minute read
Whether they're in banking, retail or the defense industry, companies from a huge array of sectors face a diverse array of cybersecurity risks every day from parties that seek to steal information or intellectual property to disrupt company operations or corrupt data.
An April 2011 attack on Sony's PlayStation Network compromised personal customer data from more than 100 million accounts, forcing the network to shut down for a month. The Goldman Sachs Group Inc. quickly realized it was a victim in 2009 when a computer programmer on his last day of employment with the company stole proprietary software to shop it to his new employer. In January 2010, Google Inc. said it was the victim of attackers seeking information on Chinese human rights activists, in an attack that also targeted 20 other companies across various industries. And participants in the amorphous hacking group Anonymous targeted a string of corporate websites in 2010 and 2011 with distributed denial of service (DDoS) attacks, which overwhelm networks and crash systems.
“The configurations are kind of endless,” says White & Case Partner William Currier, a former assistant regional director of the Securities and Exchange Commission (SEC) and senior trial counsel. “You can just feel the rising tide of danger.”
In response to this danger and to pressure from legislators, on Oct. 13, 2011, the SEC's Division of Corporation Finance issued guidance on disclosure obligations as they relate to cybersecurity risks and cyber incidents. Although the guidance creates no new requirements, it makes clear that the agency expects public companies and other SEC-reporting companies to have undertaken an assessment of the risks they face, the consequences that may occur in the occasion of a cyber event and how they might respond.
Urgent Challenge
A group of five U.S. senators, including John Rockefeller, chairman of the Commerce, Science and Transportation Committee, sent a letter to SEC Chairman Mary Schapiro in May 2011 requesting such interpretive guidance to address investor confusion and reporting inconsistencies by clarifying how existing disclosure requirements pertain to information security risk. They cited a 2009 survey by insurance underwriter Hiscox, which found that 38 percent of Fortune 500 companies made a “significant oversight” by failing to mention privacy or data security exposures in their public filings.
The senators wrote, “Securing cyberspace is one of the most important and urgent challenges of our time. … In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk.”
And if corporate leaders fail to make adequate disclosures, Currier says this guidance lays the blueprint for further action in the future.
“From my enforcement perspective,” he says, “these guidelines set up the situation where the SEC's going to bring an enforcement action against some company for making false or misleading statements about cybersecurity and exposure inside a major U.S. or non-U.S. company that failed to provide necessary notifications, and then experienced a massive breach. I can't say that tomorrow there will be an enforcement case, but the SEC doesn't write about stuff it's not concerned about.”
Outlining Obligations
In its guidance, the SEC reminds companies of several specific disclosure obligations that may require a discussion of cybersecurity risks and incidents. One area the guidance addresses is risk factor disclosures, if cyber incidents “are among the most significant factors that make an investment in the company speculative or risky.”
To make that determination, the SEC says it expects public companies to evaluate their cybersecurity risks, the probability of cyber incidents occurring, and the quantitative and qualitative magnitude of those risks, including costs and other consequences—for instance, misappropriation of sensitive information, corruption of data or operational disruption.
The other disclosure obligations the SEC outlined covered MD&A (Management's Discussion and Analysis of financial condition), Description of Business (if a cyber incident materially impacts the viability of, for example, a new product), Legal Proceedings (as they relate to a cyber incident) and Financial Statement Disclosures (if a cyber incident has an impact on financial statements).
The guidance recognizes that one of the challenges for companies that disclose will be to balance the need for detailed disclosures with some measure of secrecy, so that they avoid laying out a road map for potential attackers. The SEC emphasized that it won't require disclosures that could compromise cybersecurity efforts.
Initial Framework
Colin Zick, a partner at Foley Hoag, says that the cybersecurity expertise within companies can vary considerably. “You'll see a similarly diverse set of responses to this guidance,” he says. “If you work for a small public company that interacts with consumers, you might not be thinking about cybersecurity, so the purpose of a guidance like this is to make you think about it and remember that you have an obligation there.”
Now that the SEC staff's initial views are in writing, the agency is likely to keep a close eye on disclosures that come out in the next year, says Michael Hermsen, a partner at Mayer Brown. “If the SEC thinks there are inadequacies or inconsistencies, we might see further action, in line with some sort of rulemaking or more specific interpretive guidance,” he says.
For now the guidance serves as a reminder, a framework and perhaps as a sign of things to come as more companies face data and network security breaches, and the attendant consequences—which can be costly.
Sony estimated that it would cost $171 million to rebuild its computers and to compensate customers and provide them with credit protection services and an analyst at Wedbush Morgan estimated that the network outage cost the company about $10 million per week. Plus Sony was slow to share information about the breach with its customers, badly tarnishing its reputation. “That case illustrates a readily apparent risk not addressed ahead of time,” Currier says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
US Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Trending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250