One of the big corporate governance related stories last month was the settlement agreement between the Securities and Exchange Commission (SEC) and Facebook Inc. arising from the misuse of Facebook user data and disclosures in Facebook’s public filings. The settlement was the most high-profile recent development in the realm of public company cybersecurity and cyber disclosure – but it was far from the only one we’ve seen in the news lately.
As this issue gains ever more public attention, what incident reporting trends are we seeing that affect public companies? What is the staff of the SEC focusing on in comments related to cybersecurity matters? And what are some of the lessons we have learned that board members and senior management should consider?
This article explores these topics.
The Audit Analytics report
Earlier this year, Audit Analytics published a report taking a deep dive into the trends and statistics of public company cybersecurity and cyber disclosure.1 The company observed that "[o]ver the past ten years, cybersecurity has become a greater threat for public companies, as both business and commerce have become more dependent on technology. Cyber threats from social engineering schemes to sophisticated programs put customer data, financial accounts, and even proprietary information at risk to third-party access."2
The key findings of the report were:
- On average, companies discovered a cyber breach 123 days after its occurrence and disclosed the breach after another 44 days.
- The number of days it takes to uncover a breach varies depending on industry, type of breach, and type of information compromised.
- Only about 50 percent of firms that disclosed a breach provided information on the type of attack that occurred.
- 70 percent of affected companies disclosed one cyber breach and about 30 percent disclosed multiple breaches.
- For public companies, service and manufacturing sectors had the greatest number of disclosed cyberattacks.3
Listed below are a few comments4 issued by the staff of the Division of Corporation Finance at the SEC on these topics. These well illustrate staff concerns:
- We note your disclosure that you continue to face a host of cyber threats; your disclosure that cyber-crimes and denial of service attacks have increased; and your identification of cyber-attacks as a key risk. Please clarify whether you have knowledge of the occurrence of any such attacks in the past. If attacks have occurred, and were material either individually or in the aggregate, revise to discuss the related costs and consequences. Also, describe the particular aspects of your business and operations that give rise to material cybersecurity risks and the potential costs and other consequences of such risks to those businesses and operations. For additional guidance, please refer to CF Disclosure Guidance Topic No. 2 on Cybersecurity.
- In this risk factor you discuss the potential impact of operational risks. Have you suffered any significant losses or other damages as a result of operational risks, or has your controls testing indicated that you have a significant deficiency? Please revise to provide a description of any cyber incidents that you have experienced that are individually, or in the aggregate, material, including a description of the costs and other consequences and to provide the investor with an idea of the likelihood that a risk may impact your results and the potential impact on your assets and earnings. Refer to CF Disclosure Guidance: Topic No. 2 and Regulation S-K Item 503(c).
- We note that your recent acquisition of *** will allow you to accelerate the development of solutions for the *** and for a broader set of industries and markets. We further note that *** percent of your *** were to *** after a flaw in the *** was identified. Please tailor your risk factor disclosure and expand your discussion of cybersecurity issues to discuss the impact of any known trends and uncertainties relating to actual cyber hacks and vulnerabilities.
- In order for investors to better understand the possible impact that a cyber-security incident might impact your company; please revise this risk factor to discuss any material breaches that have impacted your business or the businesses of your partner firms. For example, we note that *** was subject to an attack in *** that resulted in the loss of $*** in client funds and a fine from your regulators.
- You disclose in this risk factor that you "have been subject to denial or disruption of service attacks by hackers." Please provide us with additional information regarding the nature and scope of the attacks you reference, including when they occurred and whether they had a material impact on your business either on an individual or aggregate basis. Please tell us your consideration for including a discussion of this incident, including a description of the costs and consequences, in this risk factor and elsewhere in your disclosure, as appropriate. We refer you to the Division of Corporation Finance´s CF Disclosure Guidance: Topic No. 2 for additional guidance.
- We note your disclosure that during ***, [the company's] computer network was the target of a cyber-attack that you believe was sponsored by a foreign government, designed to interfere with your *** and undermine your reporting. We also note your disclosure that you have implemented controls and taken other preventative actions to further strengthen your systems against future attacks. If the amount of the increased expenditures in cybersecurity protection measures was or is expected to be material to your financial statements, please revise your discussion in MD&A to discuss these increased expenditures. Also, if material, please revise the notes to your financial statements to disclose how you are accounting for these expenditures, including the capitalization of any costs related to internal use software.
- We note your response to prior *** from our letter to you dated ***. In future filings, beginning with your next Form 10-Q, please provide a separate discussion of the risks posed to your operations from your dependence upon technology or to your business, operations or reputation by cyber attacks or breaches of your cybersecurity. In addition, in order to provide the proper context for your risk factor disclosure, and as you stated in your response letter, please confirm that you will disclose in this revised risk factor that you have experienced occasional actual and attempted breaches of your cybersecurity.
Lessons learned on SEC concerns
Action item: Materiality is still king. The various guidances published by the SEC and its staff do not implement a new reporting regime or make significant changes to the existing understanding of what is material to a public company. Not every cyber-related incident will result in some sort of public disclosure. Issues surrounding a breach, including internal investigations on the topic, can frequently take some time to fully unpack, and it is best to gather information and have a candid discussion with disclosure counsel.
Action item: Take a hard look at existing disclosure. The SEC comments noted above and the Facebook proceedings make it clear that hypothetical phrasing of events that a company has experienced is problematic. It is not unusual for the staff of the SEC to review social media and alternative sources for information about new developments. The SEC staff expects companies to disclose cyber incidents that are, individually or in the aggregate, material − including the costs and consequences associated with the incident.
Action item: It is not all about the Risk Factors. The SEC staff's 2011 guidance on this issue reminded registrants that "a number of disclosure requirements may impose an obligation on registrants to disclose [cybersecurity] risks and [cyber] incidents."5 The SEC staff is also concerned about the following topics:
- Are there any known trends and uncertainties related to the actual cyber hacks and vulnerabilities?6
- What is the exact nature and scope of the cyber incidents, including when they occurred and whether they had a material impact on the company's business?
- What sort of expenditures does the company expect to undertake on its cybersecurity protection measures and would this expenditure have a material impact on the company's financial statements?7
Third-party access to a company's network, customer data or other information is another topic that should be reviewed periodically.
1 Audit Analytics - Trends in Cybersecurity Breach Disclosures (Published March 13, 2019) (available here - http://www.alacrastore.com/storecontent/Audit-Analytics-Trend-Reports/Trends-in-Cybersecurity-Breach-Disclosures-2033-62) (Trends Report).
2 Audit Analytics blog posted on March 18, 2019 (available here - https://blog.auditanalytics.com/trends-in-cybersecurity-breach-disclosures/).
3 Trends Report on page 1.
4 The comments have been revised to redact company-specific information.
5 CF Disclosure Guidance: Topic No. 2, Cybersecurity, Division of Corporation Finance (Oct. 13, 2011), available athttps://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (SEC Guidance) on page 2.
6 Registrants are reminded to address cybersecurity risks and related incidents in their MD&A "if the costs or other consequences associated with one or more know incidents or risks of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's [financial statement] … or would cause reported financial information not to be necessarily indicative of future operating results or financial condition." SEC Guidance on page 3.
7 The SEC staff also reminded registrants that a cyber incident may require disclosure in the Legal Proceedings or Financial Statements. SEC Guidance on page 3.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.