As more and more of our business and personal information is
stored on computers, we all feel a little sick when the news
headlines inform us of the latest computer virus, security breach
or data loss.
In October, two interesting developments occurred within a few days of each other. First, on October 13, 2011, the Securities and Exchange Commission ("SEC") clarified that information security is, in fact, a risk type that must be considered when public companies disclose risks to investors, consistent with Regulation S-K Item 503(c).1 Second, the Office of the National Counterintelligence Executive published a report entitled "Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage 2009–2011" (The "Report").2 The Report confirms what we suspected, but did not want to admit — that we are economically vulnerable in cyberspace, thereby making the SEC guidance both necessary and timely.
Public companies can no longer avoid dealing with information security. It must be a priority, and senior company management and the Board of Directors must pay attention to the details provided by their information security specialists as part of their overall risk management obligations. The SEC guidance also puts to rest the frequent internal debate concerning whether or not to inform clients or the public about security incidents. The disclosure of a security problem is mandatory if it is material to a public company.
In the disclosure guidance, the SEC includes the following as "Risk Factors":
- Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
Good risk factor disclosure is an art. The disclosure needs to
be concise, readable and informative. In the case of cybersecurity
disclosure, it has to provide particular detail in the context of
the business, but not so much that a disclosure compromises the
company's cybersecurity efforts by providing a roadmap for bad
actors who want to infiltrate the company's systems. In
ordinary circumstances, the construction of risk factor disclosures
is challenging. Cybersecurity disclosures will be harder
— they will require that lawyers, senior management and
technologists communicate with each other, and they don't all
speak the same language. From counsel's point of view, it is
important to know what questions to ask in order to get the answers
needed in order to do the job. A useful start is always, "What
keeps you up at night?" Next, ask whether the company has a
comprehensive information security program in place, and listen to
In a relatively few years, almost all corporate data has become available in electronic form. Information security programs need to keep up with advances in technology. Here are some more questions to ask:
- What is the organization doing to protect itself from unwanted intrusion?
- Is access to information carefully controlled, well documented and permitted on a "need-to-know" basis?
- Is there an inventory of the software applications and the data used by those systems?
- Does the company classify its data by category (e.g., personally identifiable information ("PII"), proprietary, trade secret, confidential, public, internal use only, restricted)?
- Does the company have an approach to the protection of information by data classification?
Third parties (i.e., outsourcing providers) who perform services
for the company are a potential "break" in the chain of
control in an organization, and the SEC requires that the company
consider these outsourcing arrangements as a "Risk
Factor." In the outsourcing context, the company should have a
dynamic inventory of its third-party service providers, what they
do, what data is in their custody and where in the world the data
is located. The company should conduct diligence regarding the
providers of outsourced services prior to contract. The questions
suggested above also apply in the outsourcing context. The
outsourcing contract should be carefully crafted and clear about
risks, rights and remedies. It used to be that once the contract
was signed, it could be filed away and not reviewed again. Not
anymore. In order to appropriately and adequately disclose risks,
third-party diligence should continue after the agreement has been
signed. Audits, reviews, monitoring, testing and escalation
procedures are important elements of good governance. New
technologies are making the monitoring job easier than it has been
in recent years, meaning more process automation and scenario
simulation is available and less manual and physical checking is
required. If the company is contemplating an outsourced
relationship to a virtual data center (aka the "cloud"),
there is an enhanced risk profile to consider.
In the context of both the SEC guidance and the Report to Congress, it is probably time to revisit the company's existing contracts, upgrade data security obligations and ensure that a governance plan is in place. Policies, procedures and contracts are all useful and important tools in the risk mitigation toolbox, particularly when supplemented by auditing and testing.3
It is also interesting to note that Section 922 of the Dodd-Frank Act provides real incentives to blow the whistle on a company when original information about potential securities laws violations leads to sanctions in excess of one million dollars. Well known, robust compliance programs can be helpful to the company in this context. If the company has not done an internal "data audit," it is time to do one. Between the proliferation of data breach laws, the disclosure requirements, and the increasing capability of bad actors, prudence dictates preparedness. All important projects begin with an inventory. The company should know what data and what class of data is resident in which software applications. The company should know where those software applications run — in-house, or third party — and where in the world they run. The company should be able to demonstrate that it has security procedures in place both in-house and at the third party.
Cyber incidents damage trust, harm reputations and tarnish a company's brand, in addition to costing a lot of money to remediate. The company needs a good contract, good practices and procedures and the ability to demonstrate (i.e., document and retain evidence of action) that the procedures are routinely followed and audited. The theft of valuable trade secrets can do real damage to the company's competitiveness and, in some cases, the viability of the franchise.
If the company is getting good answers to the questions above, great news! Keep it fresh.
If not, it is possible for the company to create a holistic, dynamic and comprehensive approach to the protection of its various types of information — from intellectual property to PII — that will satisfy regulatory obligations and manage risk to the satisfaction of the company's investors and the Board.
1. The SEC guidance is available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
2. The Report is available at http://www.ncix.gov/publications/reports/fecie_all/index.html.
3. See also, McKinsey Quarterly "Meeting the Cybersecurity Challenge," available at http://www.mckinseyquarterly.com/meeting_the_cybersecurity_challenge_2821.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.