C-suite executives wake to another day, and another data breach. Scarcely a day goes by without the headlines reporting yet another data breach or other serious cybersecurity incident. Cyber incidents are ubiquitous, and no industry or organization, wherever situated, however small or large, is immune. No firewall is unbreachable, no security system impenetrable.
WHO IS AFFECTED?
For a SINGLE DATA BREACH, the Ponemon Institute recently reported that the average U.S. organizational cost is more than $5.85 MILLION —with $509,237 spent on post-breach notification alone. 1
When they hit, cybersecurity events are expensive. In addition to crisis management expenses, such as forensics, notification, credit monitoring, and public relations, together with lawsuits and regulatory investigations, executives are increasingly facing shareholder litigation. In the wake of its high-profile data breach, for example, Target's directors and officers face shareholder derivative action alleging that "Target ... has suffered considerable damage from [the] breach." 2
Proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action and derivative litigation in the wake of a cybersecurity incident—or at a minimum may mitigate a company's potential exposure.
By way of background, in view of "more frequent and severe cyber incidents," the U.S. Securities and Exchange Commission (SEC) issued in October 2011 cybersecurity disclosure guidance, which advises companies to "review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents." 3
Although the guidance does not create new cybersecurity disclosure obligations, failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that negatively impacts a company's stock price.
Five Tips to Consider
The following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC's disclosure guidance and comments to data.
- Perform a Cybersecurity Risk Assessment. The SEC staff states in its guidance that it expects companies "to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents," as well as "the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware." To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company's business.
- Consider Known and Potential Breaches. If a company has suffered a known cybersecurity event, it should anticipate that the SEC will issue a comment letter if the event is not disclosed. Significantly, even where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company's risk factor disclosure be expanded to state generally that the company has been the victim of hacking—even if prior events were immaterial. In addition, companies may need to disclose threatened cyber incidents, together with potential costs and other consequences. Companies in targeted industries that are not yet aware of an incident should consider disclosing how the company might be impacted by a cybersecurity incident—even if no specific threat has been made.
- Be Specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure.
- Remember a "Roadmap" is Not Required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company's cybersecurity. At the outset of its guidance, the SEC staff states that it is "mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts—for example, by providing a 'roadmap' for those who seek to infiltrate a [company]'s network security—and we emphasize that disclosures of that nature are not required under the federal securities laws."
- Consider Insurance. Insurance can play a vital role in a company's overall strategy to address, mitigate, and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC's guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing "cyber" and data privacy-related insurance products, which can be extremely valuable.
Considering these five tips will assist companies in minimalizing their exposure from lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.
1 Ponemon Institute, 2014 Cost of Data
Breach Study: Global Analysis, at 6, 15 (May 2014).
2 Collier v. Steinhafel, et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶76.
3 SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011). The guidance advises that appropriate disclosures may include the following:
- Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.