SEC May Bolster Cyber-Threat Disclosure Guidance

As the number and severity of cyber-attacks—perpetrated by external hackers and snooping insiders alike—reach epidemic levels, the Securities and Exchange Commission is considering new disclosure demands for companies that suffer such a misfortune.

The SEC last issued staff guidance in October 2011, asking listed companies to provide detailed disclosures of their cyber-exposures. Mary Jo White, recently appointed chairman of the SEC, has since asked her staff to provide her with “a briefing of the current disclosure practices” and overall compliance trends, along with “any recommendations they have regarding further action in this area.”  

White's response followed an April 9 letter that Sen. John Rockefeller (D-W.Va.), chairman of the Senate Committee on Commerce, Science, and Transportation, sent urging White to orchestrate a push for more in-depth, formalized disclosures on how companies are managing cyber-security threats and how they have responded to specific attacks. Nearly two years ago, he similarly urged former Chairman Mary Schapiro to do the same.

That earlier push by Rockefeller and others led the SEC to issue guidance on disclosure obligations. The non-binding guidance outlined companies' disclosure obligations, starting in 2012, in the event of a cyber-attack or data breach. Specifically, the SEC's Division of Corporation Finance asked companies to disclose types of risks, an explanation of how any material security breach would affect business, the effect of any specific material data breaches (before, during, and after) on the company's financial performance, and a discussion of the adequacy of the company's internal controls and procedures.

Rockefeller urged White to consider going further. “Given the growing significance of cyber-security on investors' and stockholders' decisions, the SEC should elevate this guidance and issue it at the Commission level as well,” he wrote. That shift would make compliance with the guidance mandatory rather than voluntary. “While the staff guidance has had a positive impact … the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies' cyber-security practices.”

While the SEC review is underway, questions have emerged over what changes companies might expect. “It is unclear what more the SEC can do as a follow-up to the previous guidance,” says Joe Lynyak, a partner with law firm Pillsbury Winthrop Shaw Pittman and member of its newly formed Cyber-security Task Force. “It's a well-written document with a sufficient number of caveats that say not to just give generic disclosures, urging companies to make sure they have in place what they think are reasonable risk-management approaches toward cyber-security and identifying operations that are subject to attack.”

New guidance might provide advice for when a disclosure about the adequacy of those protections should be made, he says. A detailed explanation of material losses could also be required.

Lynyak questioned what companies should have to say beyond acknowledging a problem that is being addressed. Too many granular details might have the unintended consequence of encouraging a similar attack, or even providing a blueprint for hackers to learn from.

Separate from disclosure concerns, companies need to focus on a comprehensive risk assessment. “That may be the one linchpin everyone can agree about for companies that have exposure,” Lynyak says. “The biggest issue is not so much disclosure, as having adequate technical capability in-house to be able to deal with these problems. Have you at least commenced the process of a concrete risk assessment and looking at what your vulnerabilities are?”

Companies Are Saying More

As the SEC considers new, more stringent requirements, there is evidence the first full year under existing disclosure guidance has been a success and that companies are providing investors with more details on their vulnerabilities to cyber-attacks. Over the last six months, there have been over 800 references to cyber-security concerns by companies in their regulatory filings, a 106 percent increase compared to the previous six-month period, according to Intelligize, a firm that analyzes SEC reporting and data. Their research shows that companies are beginning to disclose more information about specific incidents and their response.

The first year of disclosures illustrates “a sea change” in how companies, and the public, view cyber-threats, says Gurinder Sangha, CEO of Intelligize. In the past, consumer-facing businesses would not want to disclose this information, concerned it “could have a chilling effect on customer perception of their private data,” he said. That contrasts with the wide range of industries reporting issues to the SEC throughout 2012.

“Given the growing significance of cyber-security on investors' and stockholders' decisions, the SEC should elevate this guidance and issue it at the Commission level as well.”

—Sen. John Rockefeller (D-W.Va.),

Chairman,

Senate Committee on Commerce, Science, and Transportation

There are two reasons for the change, Sangha says: Public awareness of the problem has grown, and regulators are paying more attention. “Any company may need to disclose risks,” he says. “If they have any back-end IT operations or front-end Web presence, they are susceptible to a cyber-security breach. At a minimum, they face reputation risk if customers think their personal data could be stolen or mishandled.”

Similar findings emerged in a June study conducted by Willis North America, a leading risk adviser and insurance broker. The survey of SEC filings found that 88 percent of the Fortune 500 have provided disclosures regarding cyber-exposures as of April 2013. The top three risks cited: loss or theft of confidential information, harm to reputation, and direct loss from malicious acts by a hacker or virus.

Additionally, 52 percent of firms referred to technical solutions they have in place, but a significant number (15 percent) say they do not have the resources needed to protect themselves against critical attacks. Only 6 percent of companies purchased insurance to cover cyber-risks.

Greater Liability

The Willis study also shows real consequences for companies that don't meet the SEC's voluntary guidelines. “D&O liability risk may be heightened for companies that experience cyber-breaches if cyber-risk disclosures are deemed not to meet SEC standards and a significant loss were to occur. This may be especially true if their peers have provided more detailed disclosure,” says Ann Longmore, executive vice president at Willis North America and co-author of the report.

Longmore isn't surprised the SEC is taking a fresh look at its disclosure requirements. She wonders, however, whether more than a complete year should be reviewed. “It may be a little early to be calling for further tightening of the standards on disclosure,” she says. “This is completely new to everyone, particularly for the accelerated filers, the first companies that reported in 2012. They had no guidepost to follow. Those who filed later in the year at least did have [examples] to look at.” Companies that filed their first cyber-security disclosures later may have even relied on earlier filings by others a little too heavily in some cases, says Longmore, noting concern with the “boilerplate language” many used.

CYBER-SECURITY RISK

In the following chart from Intelligize, SEC filings reveal what percentage of companies by industry found cyber-security to be a risk factor.

Source: Intelligize.

After reviewing 2012 disclosures, SEC staff followed up with 50 companies and asked them to amend or supplement the filings. Longmore says most of these requests were sent to very large companies, suggesting that, for now, smaller ones are getting a break. The most common follow-up requests included: breaking out cyber-security risks into their own category, distinct from disclosure of natural disasters or terrorist attacks; submitting additional information on why a company doesn't believe an attack was sufficiently material to warrant disclosure; and answering questions about interconnectivity—what happens if a trading or information storage partner suffers an outage or is hacked.

Companies should take the reporting of data breaches very seriously, agrees Rich Rosenfeld, a partner with the law firm Mayer Brown. He expects to soon see major litigation or government action against companies that fail to disclose information following a breach.

“The question of how you define materiality in the cyber-world is interesting,” he says. “I think that's where companies are getting a little bit caught up. There is no actual or express guidance from the SEC on how they should define that.”

The SEC wants to know that a company took “reasonable measures,” but that too may be problematic, Rosenfeld says. “It may be difficult to know what reasonable measures are,” he says. “You may be in a Catch 22 where it is perceived, in hindsight, that you didn't do enough, when you thought you did at the time. If you have lost a chunk of personal data and that became a huge drag on your stock price, the SEC's Enforcement Division, and third-party litigants, are going to say there was something you should have known and you didn't do enough.”

“Companies are really going to have to take this very seriously,” Rosenfeld says. “This is going to be an absolutely critical and increasingly costly area for corporations and financial institutions.”