As the latest 10-K filing period for corporations draws to a close, the Securities and Exchange Commission (SEC) is expected to intensify its scrutiny on whether companies’ filings adequately disclose both information security breaches that occurred in the past, and the material risks due to cyber threats such companies face in the future. Since the Senate Commerce Committee focused greater attention upon corporate cybersecurity in a letter to the SEC on May 12, 2011, momentum has been building for expanded corporate disclosure of cybersecurity safeguards and security breaches. In October 2011, the SEC issued guidance that publicly traded companies have a duty to disclose “material information regarding cybersecurity risks and cyber incidents” where failure to do so would make other disclosures misleading. Recent developments both inside and outside the SEC show that corporations can expect an even brighter spotlight this year upon their cybersecurity efforts – and shortfalls. Now more than ever, publicly traded companies need to be prepared to address, whether in responses to SEC comment letters or in preparing future filings, what material risks they may have due to cyber threats and whether they have taken steps to address such risks and vulnerabilities.

Recent Developments:

In its 2013 Examination Priorities, the SEC identified a number of “risk areas” attracting its focus, including enterprise risk management and companies’ “governance and supervision of information technology systems for topics such as operational capability, market access, and information security, including risks of system outages, and data integrity compromises that may adversely affect investor confidence.” These Examination Priorities were published on February 21, 2013, one week after the President issued an Executive Order on improving critical infrastructure cybersecurity, and several days after the release of the Mandiant report, which tied the Chinese military to cyberattacks on over 140 U.S. and other foreign corporations and entities.

Cybersecurity Guidance:

The SEC’s guidance to companies focused upon certain factors that may create a material cybersecurity risk and thereby trigger a corporate duty of disclosure. In describing cybersecurity risks, the SEC guidance recognized the impact that cyber attacks and breaches may have upon corporations, including:

  • Remediation costs that may include liability for stolen assets or information, repairing system damage, or even incentives offered to customers or other business partners in an effort to maintain business relationships after an attack;
  • Increased cybersecurity protection costs that may include deploying additional personnel and protection technologies, engaging third party expertise; and training employees;
  • Lost revenues resulting from unauthorized use of proprietary information, or the loss of current or potential customers following an attack;
  • Litigation; and
  • Reputational damage.

The risks acknowledged in the guidance are borne out by the massive costs that U.S. companies have incurred in recent years as a result of cybertheft. In 2009, President Obama observed that cyber criminals had stolen intellectual property and trade secrets from businesses worldwide with an estimated value of up to $1 trillion. According to a report released by the Department of Justice this month, in the past year a single employee working for an American company was convicted of stealing her employer’s proprietary information that was reportedly worth $400 million. Nor are lesser high-value targets safe: As the Verizon report warned this month, both small and large companies are targets of cyber espionage campaigns. The SEC guidance represents an effort to ensure that companies are forthcoming about these risks with investors and with the general public.

The SEC guidance requires companies to first assess whether a cybersecurity incident or risk is sufficiently “material” to warrant a disclosure, and, second, what information must be included in such a disclosure.

Material risk or incident. The SEC guidance adopts the definition of “material” as presenting “a substantial likelihood that a reasonable investor would consider [the information] important in making an investment decision or if the information would significantly alter the total mix of information made available.” In articulating this standard, the guidance references the Securities Act Rule 402, Exchange Act Rule 12b-20, Exchange Act Rule 14a-9, and the Supreme Court decisions in Basic, Inc. v. Levinson, 485 U.S. 224 (1980); TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438 (1976). In assessing whether a risk or incident is material, the guidance advises companies to consider factors such as prior breaches and the costs incurred, attacks that have been threatened, and the adequacy of actions taken to prevent or mitigate cybersecurity risks in the particular context of the industries in which they operate.

What to include in a disclosure. Referencing generally the Regulation S-K Item 503(c) requirements for disclosing risk factors, the SEC guidance requires companies to describe both the nature of any material risks and describe the effects of each reach. The guidance contains broadly worded categories to indicate that, in assessing their adequacy, the agency will consider whether disclosures:

  • Discuss aspects of the company’s business or operations that gave rise to the material cybersecurity risks, as well as potential costs and consequences;
  • Describe any outsourced functions with material risks and how the company addresses these risks;
  • Describes cyber incidents against a company that are material, either individually or in the aggregate, and the costs and consequences of those incidents;
  • Address “risks related to cyber incidents that may remain undetected for an extended period”; and
  • Describe what, if any, relevant insurance coverage the company has.

The SEC’s disclosure obligations with respect to risk assessments, security safeguards, and breach reporting, also parallel information security requirements with which companies must comply, such as the Federal Information Security Management Act, the Health Insurance Portability and Accountability Act, and security breach notification laws in various states.

2013 Filings and Beyond:

Since SEC’s guidance in October 2011 and the subsequent updates in February 2013, corporations have had relatively limited experience to apply the guidance and make public disclosures. The 2013 corporate filings submitted at this juncture have generally included very brief, high-level statements that some risk of a cybersecurity breach is present and that, in event of a breach, adverse consequences may result. Very few companies have openly acknowledged being victims of security breaches or cyber attacks – and nearly all have described these incidents as not inflicting any material costs or consequences on the operations of their companies.

A number of open questions in this area remain, including how expansive a view of the term “material” the SEC will adopt, whether it will demand more information about cybersecurity risks from companies within certain industries, and how a company can sufficiently disclose “risks related to cyber incidents that may remain undetected for an extended period.” As the SEC’s Corporate Finance Division issues comment letters requesting companies provide additional information in their 10-K filings, we will continue to look for insights on these issues and assess what this may mean for companies submitting filings on cybersecurity breaches and risks going forward. In addition, these insights will undoubtedly influence conduct and best practices of privately held companies – stay tuned.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Bryan Brewer Bryan Brewer

H. Bryan Brewer III is a partner in Crowell & Moring’s Corporate, Privacy and Cybersecurity,  and International Trade groups.

Bryan is experienced in matters related to mergers and acquisitions, public securities, government contracts, intellectual property licensing and counseling, venture capital, export controls, and…

H. Bryan Brewer III is a partner in Crowell & Moring’s Corporate, Privacy and Cybersecurity,  and International Trade groups.

Bryan is experienced in matters related to mergers and acquisitions, public securities, government contracts, intellectual property licensing and counseling, venture capital, export controls, and general corporate governance issues that affect both for-profit and non-profit companies. Included in this experience is a focus on the intersection of corporate and cybersecurity and privacy as well as counseling with companies focused on digital transformation issues.

In addition to his corporate transactional practice, Bryan has over two decades of experience acting as special counsel to corporate trusts and trustees in the context of complex corporate transactions. Bryan has advised trusts in transactions relating to securitization, environmental, bankruptcy/liquidation, royalty, equipment, college/university, and the insurance verticals. He has advised and coordinated counseling on a wide range of matters impacting trusts and trustees, including general corporate and trust structuring matters, trust agreements, fiduciary duties, due diligence and trustee obligations under Delaware law, public securities and SEC filing obligations of publicly traded trusts, bankruptcy, litigation, tax, and matters relating to conflict of interest.

Bryan provides counseling for both public companies and privately held corporations on mergers and acquisitions, regulatory compliance, and securities issuances. He is experienced in providing advice on the corporate aspects of technology, life sciences, and government contracts. Bryan has counseled on digital strategy and technology in the autonomous vehicle, internet of things, artificial intelligence, and other transformative technology verticals. He also has advised emerging research-based companies with respect to the legal issues associated with the development of vaccines (including vaccines based on virus-like particles) and discovery of small molecules targeting emerging infectious agents, biodefense companies specializing in the development and commercialization of medical countermeasures against chemical and biological threats, and foundations focusing on biomedical research projects bringing the public sector (NIH) and the private sector (pharmaceutical, biotech, and other companies, foundations, and academia) together to solve persistent health challenges. Bryan’s experience involves counseling with respect to awards, RFPs, solicitations, teaming agreements, joint venture agreements, subcontracts, intellectual property, and licensing issues and positioning with respect to the National Institutes of Health (NIH), U.S. Army Medical Research Institute of Infectious Diseases (USAMRIID), National Institute of Allergy and Infectious Diseases (NIAID), U.S. Department of Health and Human Services (DHHS), Biomedical Advanced Research and Development Authority (BARDA), and other governmental agencies.

He is also experienced in providing corporate/business counseling and strategic advice for rapidly expanding start-up and pre-IPO companies. He has clients in a number of sectors including government contractors, energy, life sciences, technology, telecommunications, media and the financial markets. He has also worked on numerous matters related to International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), Committee on Foreign Investment in the United States (CFIUS) and regulatory and export compliance matters generally. He also counsels clients on transactional aspects of intellectual property rights and strategies and has experience in formulating, negotiating and implementing intellectual property licensing agreements, technology transfer programs, technology acquisitions, and copyright and trade secret protection programs.

Bryan has deep experience in working with trade associations on their transactional and corporate challenges and transactions. He has acted as outside counsel on numerous corporate matters and transactions for trade associations. Bryan has counseled numerous non-profit corporations on formation, licensing and related contract and intellectual property issues in a variety of industries. Bryan has authored numerous articles and frequently speaks on such topics as mergers & acquisitions, securities, venture capital, intellectual property, export controls and other emerging business issues.