United States: Public Companies Should Update Cybersecurity Risk Disclosures

Last Updated: April 12 2018
Article by Edward C. Normandin and Matthew Repetto

With the increasing frequency of significant cyber security breaches affecting high profile public companies (e.g., Equifax, Uber, Yahoo, Target, eBay) and in light of the recent Securities and Exchange Commission guidance on public company cyber security risk, public companies would be well served to give fresh consideration to their cyber security risks and the adequacy of their current disclosure (e.g., in annual reports and registration statements).

In recognition of the changing cyber security landscape and attendant risks to public companies, the SEC on Feb. 21, 2018, released new guidance on cyber security disclosure requirements for public companies. This new guidance was widely anticipated by securities law practitioners following the SEC chairman's published remarks in September 2017, and it provides a long overdue update to the SEC's 2011 initial guidance on cyber security risk. Although no formal rules were promulgated by the SEC at this time, the new guidance sets out the SEC's current expectations for cyber security risk disclosure by public companies which, if not heeded, could potentially result in enforcement actions, SEC comments on securities filings, and/or shareholder lawsuits.

Regulation SK, which sets forth the rules for disclosures in public company filings, requires public companies, with some exceptions, to disclose in a separately captioned ''Risk Factors'' section ''the most significant factors that make an investment in a registrant's securities speculative or risky.'' This section typically includes an extensive set of risk factors disclosing a variety of risks that company management deems material. Following the SEC's initial cyber security guidance in 2011, in which it encouraged public companies to consider the materiality of risks related to cyber attacks and subsequently make the appropriate disclosures, public companies seemed to respond in one of several ways. Some elected to provide a specific, sometimes stand alone cyber security risk factor in their public filings, while others continued to rely on broadly worded risk factors designed to cover a variety of general information technology, data or systems related risks. Still, many companies elected not to supplement their risk factors to address cyber security risk. Regardless of a public company's current cyber security risk disclosure practices, it is likely that the new SEC guidance has rendered such disclosure inadequate for the purpose of properly informing investors of material cyber security risks. We believe that, generally, there is much room for improvement in cyber security risk disclosure, and we expect to see improvements made soon, as public companies and their securities counsel digest the new guidance and the SEC begins to use its powers to encourage greater disclosure.

This article highlights aspects of the SEC's latest guidance on cyber security risk factor disclosure and outlines considerations public companies should weigh when crafting their own cyber security risk factors.

Highlights of SEC's Guidance

The SEC states that its new guidance is meant to pro mote clearer and more robust cyber security risk disclosure to protect investors from potential consequences of a public company cyber security breach. As noted in the new guidance, these consequences include lost revenue, increased costs for protection, remediation costs, reputational damage, organizational changes, in creased insurance premiums, legal claims, regulatory actions, and damage to a company's stock price and long term shareholder value. Because of the seriousness of these consequences, the SEC has taken the stance that it is ''critical that public companies take all required actions to inform investors about significant and material cyber security risks and incidents in a timely fashion, including those companies that are subject to cyber security risks but have not yet been the tar get of a cyber attack.''

To help public companies determine what may be a ''significant cyber security risk'' for purposes of evaluating their cyber security risk factor disclosure, the SEC listed the following considerations:

  • the severity and frequency of incidents;
  • probability of occurrence and potential magnitude;
  • adequacy of preventative actions;
  • aspects of the company's business that may give rise to potential risks;
  • potential costs;
  • potential reputational harm;
  • existing or pending laws; and
  • Litigation or regulatory investigations.

The SEC also reminded public companies that they are required to disclose ''such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.'' In determining what may be considered ''material,'' the SEC invokes a standard of materiality consistent with the Supreme Court's standard in TSC Industries v. Northway, which states that a cyber security risk or incident is material ''if there is a substantial likelihood that a reasonable investor would consider the information important in making an in vestment decision or that disclosure of the omitted in formation would have been viewed by the reasonable investor as having significantly altered the total mix of information available.''

When providing these disclosures, the SEC emphasized, as it has many times before, that a ''company by company'' approach to disclosure is expected. This is important because every company has a different risk profile, and these differences should be reflected in risk factor disclosures. Accordingly, companies are advised to avoid generic cyber security related disclosures or boilerplate, and instead, provide specific information that is useful to investors. However, the SEC was careful to note that it does not expect public companies to make their disclosure so detailed as to provide a ''road map'' to cyber criminals to bypass a company's protective measures. As such, the SEC acknowledges that disclosure of specific technical information about cyber security systems or system vulnerabilities is not expected. It should be noted that the new SEC guidance expands on its 2011 guidance by addressing two new topics: the importance of cyber security policies and procedures, and the application of insider trading prohibitions in the cyber security context. We encourage public companies to review the SEC's new guidance and be come familiar with its additional expectations.

Key Takeaways

We advise public companies seeking to improve their disclosure of material cyber security risks and meet the SEC's expectations for clearer and more robust disclosure to consider the following suggestions when crafting their cyber security risk factor disclosure.

1. Add a standalone cyber security risk factor.

Strong consideration should be given to providing a standalone cyber security risk factor in annual reports and registration statements. Although the SEC guidance stopped short of mandating any new disclosure category for cyber security risk, the SEC has clearly signaled to public companies that current cyber security risk factors need greater clarification of the nature and type of risk and the potential consequences. A stand alone risk factor will provide an opportunity for more in depth discussion of the particular cyber security risks faced by the company, the probability of incident, the potential impact of an incident and any past cyber security incidents affecting the company, its customers, vendors or competitors, and any risk prevention measures undertaken. A standalone risk factor may also demonstrate the company's recognition of the seriousness of cyber security risk and perhaps provide some reassurance to investors, the SEC, and governance watchdogs that the company's management is taking measures to prevent a breach incident and/or will not be completely caught off guard if an incident occurs. In addition, a standalone risk factor increases the prominence of the disclosure in the company's filing, thus allowing investors to more easily spot the potential material cyber security risks and make more informed investment decisions.

2. Avoid using boilerplate cyber security risk factors.

Following the SEC's 2011 guidance, some public companies responded by adding carefully crafted and tailored risk disclosure to their filings. However, many others responded simply by adding generic or ''boiler plate'' risk factor disclosure often borrowed from the filings of larger companies which were not tailored to their own business and circumstances, including, in some cases, borrowing from companies in different industries and/or with different risk profiles. Public companies should avoid merely copying cyber security risk factors from others. The SEC will likely deem a boiler plate risk factor too generic and insufficient to inform investors of the company's own cyber security risk. If a particular cyber security risk factor is applicable to al most any company, then it is likely too generic and should be revised. Instead, companies should disclose the specific facts and circumstances that make a given cyber security risk material by taking into account the company's own risk profile (e.g., industry, resources, systems, handling and use of data).

3. Sufficiently tailor cyber security risk factor disclosure to your particular business and industry.

Cyber security risk profiles vary by industry and from company to company within an industry. A public company's risk factor disclosure needs to recognize these differences by clearly explaining in its disclosures the risks or potential types of risks and the likely impact of a breach incident. For example, financial services companies handle large amounts of sensitive client data, the exposure or loss of which could materially harm the business due to a likelihood of customer lawsuits, regulatory enforcement, reputational harm, and loss of clients, among other things. These companies are also at a greater risk of theft of funds from accounts that would have more direct and immediate harm. Contrast this with a public manufacturing company to which theft of intellectual property and interruption of networked or connected operations likely pose significant risks and could lead to interruption in operations, competitive harm, loss of revenues, and costly litigation. In addition, the materiality of certain cyber security threats may differ among public companies in the same industry de pending on their respective preventative measures, available resources, the experience of personnel, etc. These differences need to be taken into account when drafting effective risk factor disclosures.

4. Tailor cyber security risk factors in light of your company's size and resources.

Cyber security risk profile may vary among public companies depending on size and financial strength of the company, thus reinforcing the need for tailored cyber security risk factors. A public company should be

careful not to adopt risk factors from the SEC filings of a larger or smaller company in the same industry with out proper tailoring. A small or midsize company should not assume that a potential cyber security threat disclosed in the filings of a Fortune 100 company in the same industry is also material to the small or midsize company, nor should it assume that an omitted cyber security threat in the larger company's filing is some how not material to the smaller company, and there fore, does not require disclosure. It could be that the board of directors or disclosure committee of the larger company determined that it had adequate safeguards to prevent or minimize a particular cyber security threat or that the estimated damages or liability resulting from a cyber security breach would not be material. However, that same threat might be material to a smaller company if it is less equipped to prevent the breach, or to withstand any associated financial or reputational loss. Likewise, a large, high profile company may determine that a particular cyber security threat poses a material risk due to the prevalence and frequency of attacks against it, its competitors, or other large or high profile companies. A smaller company might not (but should be careful not to) view itself as a likely target of cyber attacks because of its lower profile, and/or the lack of publicized cyber attacks affecting similarly situated companies. Certainly, size and resources of the company should be factored into any analysis of materiality.

5. Give appropriate prominence to cyber security within the risk factors section.

It is common practice to list risk factors in order of importance, thus giving greater prominence to the risk factors that the public company deems most significant. There is a tendency by some companies to add a new risk factor at the end of its existing list or to add to an existing group of risk factors where its placement may seem to be logical (usually related to information technology or systems). However, a company should avoid these tendencies and give careful thought to the relative importance and materiality of cyber security risk and then properly position the new or improved cyber security risk factor accordingly. We are not suggesting that the cyber security risk factor should be automatically placed at the top of the list. Although cyber security and the risk of attack is becoming increasingly important to companies of all sizes and in all industries, other risks may still be more significant to a particular public company. For example, it would be understandable if a public company engaged in a heavily regulated industry, such as pharmaceutical sales, gave greater prominence to the risk of a change in law or regulation affecting drug prices or approval processes. Also, a company that has previously been the target of a cyber attack should consider moving its cyber security risk factors to a higher position than it otherwise might have in the absence of a prior incident.

6. Make cyber security risk factors understandable to investors.

It is important to remember that risk factors are meant to help the investor make an informed investment decision. Therefore, they should be written in definite, concrete, everyday language so they are easily understandable. As a general rule, companies should avoid legalese, technical jargon, and business terminology that make the substance of the disclosures difficult to understand. This can be particularly challenging when crafting a cyber security risk factor since the nature of the risk does not easily lend itself to using plain English and may require discussion of technical systems and processes that are unfamiliar to many investors. By now, we estimate that most reasonable investors understand terms such as ''malware,'' ''encryption,'' ''firewall,'' ''hacker,'' ''virus,'' and ''phishing,'' but will they understand the meaning of ''IPS,'' ''SSL,'' ''VPN,'' ''social engineering,'' ''key logger'' and ''pharming''? Thus, public companies must employ careful drafting of complex processes and technical terms to make their risk disclosure understandable.

7. Review competitors' cyber security risk factor disclosures; don't be an outlier.

Although we earlier cautioned against adopting risk factors from other companies, we see value in periodically reviewing the cyber security risk factors of competitors as they can inform a public company of the nature and types of cyber security risks that their competitors deem material and which they may want to consider if they have not already done so. Furthermore, if a competitor has been the victim of a known cyber attack, a company might consider this to be material to its investors, perhaps because of the incident itself or the nature of the attack. Public companies should look for changes or updates in a competitor's cyber security risk factor disclosures, as these may have been changed in response to an SEC comment. A company may benefit from a competitor's experience and avoid an SEC comment on future filings.

In addition, a public company may wish to consider the scope and robustness of its cyber security risk factors in relation to its peers. It seems ill advised for a company to be an outlier in this regard by providing disclosure that is paltry or even minimally compliant compared with a competitor's disclosures, as this could attract attention from regulators, governance watch dogs, and shareholders. Likewise, companies should consider the degree to which they want to be a leader among their peers in cyber security risk disclosure, as 'over disclosuree'' could potentially provide a roadmap to hackers that could ultimately put the company at a competitive disadvantage. Needless to say, a company's relative positioning along the disclosure scale should be carefully considered and constructed so it is meeting the SEC's disclosure expectations regardless of the robustness of a competitor's disclosure.

8. Avoid exposing vulnerabilities by providing too much information in risk factor disclosure.

Cyber security risk factors are publicly available on the SEC's Electronic Data Gathering, Analysis, and Retrieval database and often on the website of the public company. Thus, companies should strive to meet their cyber security disclosure obligations without unwittingly providing a roadmap for would be cyber criminals to penetrate the company's security protections. The SEC recognizes that this is a real concern and has indicated in its recent guidance that companies are not expected to disclose their system vulnerabilities, potential areas of weakness, or technical information about their cyber security systems. Even so, the SEC has made

clear that where a company has become aware of a cyber security incident or risk, it must appropriately and timely disclose information that is material to investors. Disclosure of such incidents, however, may necessitate more specific or technical discussion of a company's systems, which will require careful drafting.

9. Involve the right company personnel when drafting cyber security risk factors.

Due to the nature of cyber security risk, a public company should engage members of its IT department to work with legal and finance personnel in tailoring its cyber security risk factor disclosures. Members of the IT department are likely in the best position to know the company's cyber security threat vulnerabilities and preventative measures, and thus, can help draft more accurate and tailored risk factor disclosure. It will be incumbent upon the team to ensure that input from IT members on complex or technical matters is sufficiently reduced to plain English in the final drafting. It is also advisable to involve high level officers and members of the board of directors having experience in cyber security measures and/or the disclosure of these measures as they may bring other perspectives from their experience gained at other companies.

10. Periodically update ''new and improved'' cyber security risk factors.

The cyber security landscape is rapidly changing and so, too, should a public company's measures to prevent and mitigate a cyber security incident. Accordingly, the risk factors that a company has crafted may become outdated if not periodically updated to disclose changes in risk profile and the occurrence of new cyber security threats and incidents affecting the company and perhaps its vendors, customers, or competitors. Accordingly, we suggest companies assess their existing disclosures as part of their quarterly risk factor review. Smaller companies that are not required to periodically disclose risks should consider voluntary disclosure. A cyber security incident can occur unexpectedly and, as risks evolve, it is important for companies to be armed with the proper risk disclosure and to keep their investors well informed of these risks. It should also be noted that public companies have an ongoing duty to correct and update prior disclosures.

Conclusion

The SEC's latest guidance on cyber security puts the issue of cyber security risk factor disclosure back in the spotlight following its initial attempt in 2011 to encourage robust risk disclosure. We believe public companies should take seriously this new guidance and take immediate steps to improve the risk factor disclosures in their public filings to meet the standards in the new guidance. Failure to update cyber security risk disclosure could have undesirable consequences. By following the steps outlined above and engaging with securities counsel, it is likely that a public company can achieve compliance and mitigate risk.

Originally published in Bloomberg Law

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
9 Jan 2019, Other, New York, United States

Scott Schirick, co-head of Pryor Cashman's Securities Litigation + Regulatory Enforcement practice, will be a panelist at "Do's and Don'ts in Working with a Lawyer on Your Capital Raise," an event presented by GenesisBlock.

Similar Articles
Relevancy Powered by MondaqAI
McGuireWoods LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
McGuireWoods LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions