On February 21, 2018, nearly seven years after the original issuance of guidance relating to disclosure of cybersecurity risks and cyber incidents, the Securities and Exchange Commission (SEC) released a statement and interpretive guidance regarding disclosures on cybersecurity risks and incidents (2018 guidance). The 2018 guidance reinforces and expands the SEC's prior guidance regarding cybersecurity disclosures. It is likely that the SEC's recent guidance reflects an increased interest, both from a disclosure perspective, as well as from an enforcement perspective, on the responses of public companies to cybersecurity risks and incidents. This market trends article identifies some representative cybersecurity disclosures and concludes with recommendations for enhancing cybersecurity-related disclosures moving forward. The company name, its industry, and the type of filing accompany each sample disclosure for reference.
The 2018 guidance reminds public companies of their obligation to disclose cybersecurity risks and cyber incidents to the extent that these are material. In evaluating whether cybersecurity risks or incidents are material, a public company should consider, among other things, the nature and magnitude of cybersecurity risks or prior incidents; the actual or potential harms to the company's reputation, financial condition, or business operation; the legal and regulatory requirements to which the company is subject; the costs associated with cybersecurity protection, including preventative measures and insurance; and the costs associated with cybersecurity incidents, including remedial measures, investigations, responding to regulatory actions, and addressing litigation.
Once cybersecurity risks and incidents are determined to be material, a public company should provide complete and accurate information in its periodic reports regarding these risks and incidents.
Public companies generally include cybersecurity related disclosures in the following sections of their offering materials and periodic reports: Risk Factors, Business, and Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A). To date, most of the disclosures related to cybersecurity risks and incidents tend to be quite general in nature. On the other hand, there are a growing number of companies that provide disclosures that are more comprehensive and particularized, with discussions about the potential reputational, financial, or operational harm resulting from cybersecurity breaches, the potential associated litigation or regulatory costs, and their policies and procedures addressing cybersecurity incidents.
For further information on public company disclosure in general, see Publ c Company Periodic Reporting and Disclosure Obligations and Periodic and Current Reporting Resource Kit.
Risk Factor Disclosures
Item 503(c) (17 C.F.R. § 229.503) of Regulation S-K requires that a company describe the material risks that impact the company's business, results of operations, and future prospects, as well as material risks that make an investment in the offered securities speculative or risky, in the case of an offering document. For further information, see Market Trends 2016/17: Risk Factors, Top 10 Practice Tips: Risk Factors, and Risk Factor Drafting for a Registration Statement. The disclosures should be in plain English and should not be generic. For further information on plain English, see Top 10 Practice Tips: Drafting a Registration Statement and Glossaries in Prospectuses and Annual Reports — Background. A majority of companies choose to disclose cybersecurity risks in the Risk Factor section. The nature of the disclosures varies by company, but companies that have a strong e-commerce presence or that that have experienced a security breach typically provide disclosure with particularity. When cybersecurity incidents become known, companies typically disclose the incidents together with remedial actions, estimated losses, and other consequences, such as litigation and regulatory action associated with the incidents. For a further discussion on cybersecurity disclosure, see Media & Entertainment Industry Practice Guide — Regulatory Trends—Cybersecurity risks. Set forth below are some examples of cybersecurity disclosures in the Risk Factor section:
General Disclosure on cybersecurity Risks
- "Our business is subject
to online security risks, including security breaches and
cyberattacks.
Our businesses involve the storage and transmission of users' personal financial information... The techniques used to obtain unauthorized access, disable, or degrade service, or sabotage systems, change frequently, may be difficult to detect for a long time, and often are not recognized until launched against a target. Certain efforts may be state sponsored and supported by significant financial and technological resources and therefore may be even more difficult to detect. As a result, we may be unable to anticipate these techniques or to implement adequate preventative measures. Unauthorized parties may also attempt to gain access to our systems or facilities through various means, including hacking into our systems or facilities, fraud, trickery or other means of deceiving our employees, contractors and temporary staff. A party that is able to circumvent our security measures could misappropriate our or our users' personal information, cause interruption or degradations in our operations, damage our computers or those of our users, or otherwise damage our reputation... Our information technology and infrastructure may be vulnerable to cyberattacks or security incidents and third parties may be able to access our users' proprietary information and payment card data that are stored on or accessible through our systems. Any security breach at a company providing services to us or our users could have similar effects...
We may also need to expend significant additional resources to protect against security breaches or to redress problems caused by breaches. These issues are likely to become more difficult and costly as we expand the number of markets where we operate. Additionally, our insurance policies carry low coverage limits, which may not be adequate to reimburse us for losses caused by security breaches and we may not be able to fully collect, if at all, under these insurance policies." eBay Inc., Form 10-Q filed April 26, 2018 (SIC 7389—Services—Business Services) - "Risks Related to
Cybersecurity.
Increased reliance on technology by both the Fund and its service providers have resulted in increased risks posed to their respective information systems. The Fund and its service providers are susceptible to cyber-security risks including, among other things, theft, unauthorized monitoring, release, misuse, loss, destruction or corruption of confidential and highly restricted data; denial of service attacks; unauthorized access to relevant systems; compromises to networks or devices that the Fund and its service providers use to service the Fund's operations; or operational disruption or failures in the physical infrastructure or operating systems that support the Fund and its service providers. Cyber-attacks against or security breakdowns of the Fund or its service providers may adversely impact the Fund and its shareholders, potentially resulting in, among other things, financial losses; the inability of Fund shareholders to transact business and the Fund to process transactions; inability to calculate a Portfolio's NAV; violations of applicable privacy and other laws; regulatory fines, penalties, reputational damage, reimbursement or other compensation costs; and/or additional compliance costs. The Fund may incur additional costs for cyber security risk management and remediation purposes. In addition, cyber security risks may also impact issuers of securities in which a Portfolio invests, which may cause a Portfolio's investment in such issuers to lose value. There can be no assurance that the Fund or its service providers will not suffer losses relating to cyber-attacks or other information security breaches in the future." Venture Lending & Leasing IX, Inc., Form 10-K filed March 16, 2018 - "Our business depends on
the Internet, our infrastructure and transaction-processing
systems.
We are completely dependent on our infrastructure and on the availability, reliability and security of the Internet and related systems. Substantially all of our computer and communications hardware is located at a single Overstock-owned and -operated facility . . . . Our back-up facility is not adequate to support sales at a high level. Our servers and applications are vulnerable to malware, physical or electronic break-ins and other disruptions, the occurrence of any of which could lead to interruptions, delays, loss of critical data or the inability to accept and fulfill customer orders. Any system interruption that results in the unavailability of our Website or our mobile app or reduced performance of our transaction systems could interrupt or substantially reduce our ability to conduct our business. We have experienced periodic systems interruptions due to... intentional cyber-attacks in the past, and may experience additional interruptions or failures in the future. Any failure or impairment of our infrastructure or of the availability of the Internet or related systems could have a material adverse effect on our financial results and business." Overstock.com, Inc, Form 10-K filed March 15, 2018 (SIC 5961—Retail—Catalog & Mail-Order Houses) - "Operational risks,
including cybersecurity risks, may disrupt our businesses, result
in losses or limit our growth.
In addition, our systems face ongoing cybersecurity threats and attacks. Attacks on our systems could involve, and in some instances have in the past involved, attempts intended to obtain unauthorized access to our proprietary information, destroy data or disable, degrade or sabotage our systems, including through the introduction of computer viruses. Cyberattacks and other security threats could originate from a wide variety of sources, including cyber criminals, nation state hackers, hacktivists and other outside parties. There has been an increase in the frequency and sophistication of the cyber and security threats we face, with attacks ranging from those common to businesses generally to those that are more advanced and persistent, which may target us because, as an alternative asset management firm, we hold a significant amount of confidential and sensitive information about our investors, our portfolio companies and potential investments. As a result, we may face a heightened risk of a security breach or disruption with respect to this information. If successful, these types of attacks on our network or other systems could have a material adverse effect on our business and results of operations, due to, among other things, the loss of investor or proprietary data, interruptions or delays in our business and damage to our reputation. There can be no assurance that measures we take to ensure the integrity of our systems will provide protection, especially because cyberattack techniques used change frequently or are not recognized until successful. If our systems are compromised, do not operate properly or are disabled, or we fail to provide the appropriate regulatory or other notifications in a timely manner, we could suffer financial loss, a disruption of our businesses, liability to our investment funds and fund investors, regulatory intervention or reputational damage.
In addition, we operate in businesses that are highly dependent on information systems and technology. The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. In addition, cybersecurity has become a top priority for regulators around the world. Many jurisdictions in which we operate have laws and regulations relating to data privacy, cybersecurity and protection of personal information, including the General Data Protection Regulation in the European Union that goes into effect in May 2018. Some jurisdictions have also enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data. Breaches in security could potentially jeopardize our, our employees' or our fund investors' or counterparties' confidential and other information processed and stored in, and transmitted through, our computer systems and networks, or otherwise cause interruptions or malfunctions in our, our employees', our fund investors', our counterparties' or third parties' operations, which could result in significant losses, increased costs, disruption of our business, liability to our fund investors and other counterparties, regulatory intervention or reputational damage. Furthermore, if we fail to comply with the relevant laws and regulations, it could result in regulatory investigations and penalties, which could lead to negative publicity and may cause our fund investors and clients to lose confidence in the effectiveness of our security measures." Blackstone Group L.P., 10-K filed March 1, 2018 (SIC 6282—Investment Advice) - "Our operations may be
adversely affected by cybersecurity risks.
We are subject to cybersecurity risks including unauthorized access to privileged information, technological assaults on our infrastructure aimed at stealing information, fraud or interference with regular service and interruption of our services to clients or users resulting from the exploitation of these vulnerabilities. Cyber-attacks, distributed denial of service attacks and other cybersecurity matters, if successful, could have an adverse effect on our business, financial condition or results of operations.
Two of the most significant cyber-attack risks that we face are e-fraud and loss of sensitive customer data. Loss from e-fraud occurs when cyber-criminals extract funds directly from clients' or our accounts using fraudulent schemes that may include Internet-based funds transfers. Such attacks are infrequent, but could present significant reputational, legal and regulatory costs to us if successful. We also face risks related to cyber-attacks and other security breaches in connection with credit card transactions that typically involve the transmission of sensitive information regarding our clients through various third parties, including merchant acquiring banks, payment processors, payment card networks, our processors and clearing banks. Some of these parties have in the past been the target of security breaches and cyber-attacks, and because the transactions involve third parties and environments such as the point of sale that we do not control or secure, future security breaches or cyber-attacks affecting any of these third parties could impact us through no fault of our own, and in some cases we may have exposure and suffer losses for breaches or attacks relating to them. Additionally, we face the risk that a party with which we or our clients do business, such as credit rating agencies, could suffer a cyber-attack. If such a cyber-attack occurs, we could be indirectly impacted in a variety of ways, such as our clients' personal data is compromised or consumer confidence is undermined.
We cannot assure you that we will not experience a material cyber-attack, suffer indirect consequences from a cyber-attack on a third party, or fail to anticipate, identify or offset such threats of potential cyber- attacks or breaches of our security in a timely manner. If such an event occurs, our financial condition and results of operations could be materially and adversely affected." FirstCaribbean International Bank Ltd., Form F-1 filed March 23, 2018 (SIC 6029—Commercial Banks) - "We are subject to cyber
security risks and may incur increasing costs in an effort to
minimize those risks.
[...] Although we take steps to secure our management information systems, and although multiple auditors review and approve the security configurations and management processes of these systems, including our computer systems, intranet and internet sites, email and other telecommunications and data networks, the security measures we have implemented may not be effective, and our systems may be vulnerable to theft, loss, damage and interruption from a number of potential sources and events, including unauthorized access or security breaches, natural or man-made disasters, cyberattacks, computer viruses, power loss, or other disruptive events. We may not have the resources or technical sophistication to anticipate or prevent rapidly evolving types of cyberattacks. Attacks may be targeted at us, our customers and suppliers, or others who have entrusted us with information. In addition, attacks not targeted at us, but targeted solely at suppliers, may cause disruption to our computer systems or a breach of the data that we maintain on customers, employees, suppliers and others.
Actual or anticipated attacks may cause us to incur increasing costs, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants, or costs incurred in connection with the notifications to employees, suppliers or the general public as part of our notification obligations to the various governments that govern our business. Advances in computer capabilities, new technological discoveries, or other developments may result in the breach or compromise of technology used by us to protect transaction or other data. In addition, data and security breaches can also occur as a result of non-technical issues, including breaches by us or by persons with whom we have commercial relationships that result in the unauthorized release of personal or confidential information. Our reputation, brand and financial condition could be adversely affected if, as a result of a significant cyber event or other security issues: our operations are disrupted or shut down; our confidential, proprietary information is stolen or disclosed; we incur costs or are required to pay fines in connection with stolen customer, employee or other confidential information; we must dedicate significant resources to system repairs or increase cyber security protection; or we otherwise incur significant litigation or other costs." Spirit Airlines, Inc., Form 424B2 filed November 14, 2017 (SIC 4512—Air Transportation, Scheduled)
To view the full article, please click here
Originally published in LexisNexis
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2018. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
