As more and more of our business and personal information is
stored on computers, we all feel a little sick when the news
headlines inform us of the latest computer virus, security breach
or data loss.
In October, two interesting developments occurred within a few days
of each other. First, on October 13, 2011, the Securities and
Exchange Commission ("SEC") clarified that information
security is, in fact, a risk type that must be considered when
public companies disclose risks to investors, consistent with
Regulation S-K Item 503(c).1 Second, the Office of the
National Counterintelligence Executive published a report entitled
"Foreign Spies Stealing U.S. Economic Secrets in Cyberspace:
Report to Congress on Foreign Economic Collection and Industrial
Espionage 2009–2011" (The
"Report").2 The Report confirms what we
suspected, but did not want to admit — that we are
economically vulnerable in cyberspace, thereby making the SEC
guidance both necessary and timely.
Public companies can no longer avoid dealing with information
security. It must be a priority, and senior company management and
the Board of Directors must pay attention to the details provided
by their information security specialists as part of their overall
risk management obligations. The SEC guidance also puts to rest the
frequent internal debate concerning whether or not to inform
clients or the public about security incidents. The disclosure of a
security problem is mandatory if it is material to a public
company.
In the disclosure guidance, the SEC includes the following as
"Risk Factors":
- Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Good risk factor disclosure is an art. The disclosure needs to
be concise, readable and informative. In the case of cybersecurity
disclosure, it has to provide particular detail in the context of
the business, but not so much that a disclosure compromises the
company's cybersecurity efforts by providing a roadmap for bad
actors who want to infiltrate the company's systems. In
ordinary circumstances, the construction of risk factor disclosures
is challenging. Cybersecurity disclosures will be harder
— they will require that lawyers, senior management and
technologists communicate with each other, and they don't all
speak the same language. From counsel's point of view, it is
important to know what questions to ask in order to get the answers
needed in order to do the job. A useful start is always, "What
keeps you up at night?" Next, ask whether the company has a
comprehensive information security program in place, and listen to
the details.
In a relatively few years, almost all corporate data has become
available in electronic form. Information security programs need to
keep up with advances in technology. Here are some more questions
to ask:
- What is the organization doing to protect itself from unwanted intrusion?
- Is access to information carefully controlled, well documented and permitted on a "need-to-know" basis?
- Is there an inventory of the software applications and the data used by those systems?
- Does the company classify its data by category (e.g., personally identifiable information ("PII"), proprietary, trade secret, confidential, public, internal use only, restricted)?
- Does the company have an approach to the protection of information by data classification?
Third parties (i.e., outsourcing providers) who perform services
for the company are a potential "break" in the chain of
control in an organization, and the SEC requires that the company
consider these outsourcing arrangements as a "Risk
Factor." In the outsourcing context, the company should have a
dynamic inventory of its third-party service providers, what they
do, what data is in their custody and where in the world the data
is located. The company should conduct diligence regarding the
providers of outsourced services prior to contract. The questions
suggested above also apply in the outsourcing context. The
outsourcing contract should be carefully crafted and clear about
risks, rights and remedies. It used to be that once the contract
was signed, it could be filed away and not reviewed again. Not
anymore. In order to appropriately and adequately disclose risks,
third-party diligence should continue after the agreement has been
signed. Audits, reviews, monitoring, testing and escalation
procedures are important elements of good governance. New
technologies are making the monitoring job easier than it has been
in recent years, meaning more process automation and scenario
simulation is available and less manual and physical checking is
required. If the company is contemplating an outsourced
relationship to a virtual data center (aka the "cloud"),
there is an enhanced risk profile to consider.
In the context of both the SEC guidance and the Report to Congress,
it is probably time to revisit the company's existing
contracts, upgrade data security obligations and ensure that a
governance plan is in place. Policies, procedures and contracts are
all useful and important tools in the risk mitigation toolbox,
particularly when supplemented by auditing and
testing.3
It is also interesting to note that Section 922 of the Dodd-Frank
Act provides real incentives to blow the whistle on a company when
original information about potential securities laws violations
leads to sanctions in excess of one million dollars. Well known,
robust compliance programs can be helpful to the company in this
context. If the company has not done an internal "data
audit," it is time to do one. Between the proliferation of
data breach laws, the disclosure requirements, and the increasing
capability of bad actors, prudence dictates preparedness. All
important projects begin with an inventory. The company should know
what data and what class of data is resident in which software
applications. The company should know where those software
applications run — in-house, or third party —
and where in the world they run. The company should be able to
demonstrate that it has security procedures in place both in-house
and at the third party.
Cyber incidents damage trust, harm reputations and tarnish a
company's brand, in addition to costing a lot of money to
remediate. The company needs a good contract, good practices and
procedures and the ability to demonstrate (i.e., document and
retain evidence of action) that the procedures are routinely
followed and audited. The theft of valuable trade secrets can do
real damage to the company's competitiveness and, in some
cases, the viability of the franchise.
If the company is getting good answers to the questions above,
great news! Keep it fresh.
If not, it is possible for the company to create a holistic,
dynamic and comprehensive approach to the protection of its various
types of information — from intellectual property to PII
— that will satisfy regulatory obligations and manage
risk to the satisfaction of the company's investors and the
Board.
Footnotes
1. The SEC guidance is available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
2. The Report is available at http://www.ncix.gov/publications/reports/fecie_all/index.html.
3. See also, McKinsey Quarterly "Meeting the Cybersecurity Challenge," available at http://www.mckinseyquarterly.com/meeting_the_cybersecurity_challenge_2821.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.