10 February 2014
Practice Groups:
Capital Markets
Insurance Coverage
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company
Might be The Next Target
By Roberta D. Anderson, Katherine J. Blair
The text of this article
was first published
by Law360 on
February 10, 2014.
The Risk of Cybersecurity Attacks
With annual reporting season underway, C-suite executives wake to another day and
another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe -- the list goes
on and on. By now, all companies should appreciate that, notwithstanding the most robust
and sophisticated network security, any company is a vulnerable next “Target” for a serious
cybersecurity incident, together with the range of negative consequences that typically
follows, including negative publicity, reputational damage that adversely affects customer
and investor confidence, lost market capitalization, claims and legal disputes, regulatory
investigations -- and falling stock prices. In the wake of its high-profile data breach, Target’s
directors and officers were just hit on January 29, 2014 with a shareholder derivative action
alleging that “Target shares were trading above $63.50 on December 18, 2013 before the
news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has
suffered considerable damage from breach.”1
In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity
incidents in general, companies are well advised to consider whether their current
cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk
factor disclosures may assist a company in avoiding a Securities and Exchange Commission
(SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor
disclosures may decrease the likelihood that a company will face securities class action
litigation and shareholder derivative litigation in the wake of a cybersecurity incident that
negatively impacts the company’s stock price -- or, at a minimum, may mitigate a company’s
potential exposure in the event of such litigation.
The Form 10-Ks that public companies are preparing to file in the coming weeks present a
significant opportunity for companies to review and strengthen their cybersecurity risk factor
disclosures, and below we offer five tips that companies may wish to consider in reviewing
the adequacy of their existing cybersecurity disclosures.
SEC Disclosure Guidance
By way of background, companies must keep in mind that, although existing disclosure
requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of
Corporation Finance (SEC staff) has emphasized the importance of appropriate
cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber
1
Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company Might be The Next Target
incidents,” the SEC issued cybersecurity disclosure guidance,2 which advises companies to
review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks
and cyber incidents.3
While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity
risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige
companies to make appropriate cybersecurity disclosures. The guidance states in this regard
that a number of disclosure requirements may impose an obligation on registrants to disclose
cybersecurity risks and incidents. In addition, the guidance explains that material information
regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary
in order to make other required disclosures, in light of the circumstances under which they
are made, not misleading.
SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure
obligations in response to an April 9, 2013 letter received from Senate Commerce Chairman
Jay Rockefeller.4 In his letter, Chairman Rockefeller urged the SEC to “elevate [its]
guidance,” noting that “[i]nvestors deserve to know whether companies are effectively
addressing their cybersecurity risks.” In response, Chairwoman White emphasized that
“[e]xisting disclosure requirements … impose an obligation on public companies to disclose
risks and events that a reasonable investor would consider material” and that “cybersecurity
risks are among the factors a public company would consider in evaluating its disclosure
obligations.”5 Chairwoman White also highlighted that cybersecurity risk “is a very important
issue that is of increasing concern” and stated that the SEC “continues both to prioritize this
important matter in its review of public company disclosures and to issue comments
concerning cybersecurity.”
In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent
with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such
that the disclosure provided must adequately describe the nature of the material risks and
specify how each risk affects the company. The guidance proceeds to advise that
appropriate disclosures may include the following:
• Discussion of aspects of the registrant’s business or operations that give rise to material
cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks,
description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the
aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
2
The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks,
systems, computers, programs and data from attack, damage or unauthorized access.”
3
SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
4
The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd164bbd-8d64-8c15ba0e4e51
5
Chairman White’s May 1, 2013 letter is available at
http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White.
pdf
2
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company Might be The Next Target
• Description of relevant insurance coverage.6
Although the guidance does not create new cybersecurity disclosure obligations, it is
abundantly clear that failure to make adequate cybersecurity disclosures may subject a
company to increased risk of enforcement actions and shareholder suits in the wake of a
cybersecurity incident that negatively impacts a company’s stock price.
The Five Tips
The following five tips may assist companies in reviewing the adequacy of their existing
cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments
issued to approximately 55 companies over the last two years.
1. Perform A Cybersecurity Risk Assessment. The SEC staff states in its guidance
that it expects companies to evaluate their cybersecurity risks and take into account
all available relevant information, including prior cyber incidents and the severity and
frequency of those incidents as well as the adequacy of preventative actions taken to
reduce cybersecurity risks in the context of the industry in which they operate and
risks to that security, including threatened attacks of which they are aware. To
facilitate adequate disclosures, companies should consider engaging in a thorough
assessment concerning their current cybersecurity risk profile and the impact that a
cybersecurity breach may have on the company’s business. In addition to
positioning the company to provide adequate cybersecurity risk factor disclosures,
the undertaking of a risk assessment is consistent with the National Institute of
Standards and Technology’s recently released Preliminary Cybersecurity
Framework,7 which, at a high level, provides a framework for critical infrastructure
organizations to achieve a grasp on their current cybersecurity risk profile and risk
management practices and to identify gaps that should be addressed in order to
progress towards a desired “target” state of cybersecurity risk management.8
Although the Cybersecurity Framework is voluntary, organizations are advised to
keep in mind that creative class action plaintiffs (and even some regulators) may
nevertheless assert that the Cybersecurity Framework provides a de facto standard
for cybersecurity and risk management.
2. Consider Disclosing Prior -- And Potential -- Breaches. To the extent a company
or one of its subsidiaries has suffered a reported or known cybersecurity event, the
company should anticipate that the SEC may issue a comment letter if the event is
not disclosed. The following comments are typical of what a company might expect
to see:
•
We note that [your subsidiary] announced on its website that a cyber attack
occurred during which millions of user accounts were compromised. Please tell
us what consideration you gave to including expanded disclosure consistent with
6
While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be
appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or
other consequences associated with one or more known incidents or the risk of potential incidents represent a
material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of
operations, liquidity, or financial condition or would cause reported financial information not to be necessarily
indicative of future operating results or financial condition.”
7
The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.
8
Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013),
available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/
3
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company Might be The Next Target
the guidance provided by the Division of Corporation Finance's Disclosure
Guidance Topic No. 2.
•
We have read several reports of various cyber attacks directed at the company.
If, in fact, you have experienced cyber attacks, security breaches, or other similar
events in the past, please state that fact in order to provide the proper context for
your risk factor disclosure.
Notably, the guidance states that appropriate disclosures may include a description of
cybersecurity incidents that are material individually or in the aggregate. And the comments
issued to date indicate that where a company states that it has not been the victim of a
material cybersecurity event, the SEC nonetheless has requested that the company’s risk
factor disclosure be expanded to state generally that the company has been the victim of
hacking -- regardless of the fact that prior events were immaterial. A few of the SEC
comments to date include (in summary form):
•
We note your response that the incident did not have a material impact on the
company’s business. In order to place the risks described in this risk factor in
appropriate context, in future filings please expand this risk factor to disclose that
you have experienced cyber attacks and breaches.
•
You state that you have not experienced a material breach of cybersecurity. Your
response does not appear to address whether you are experiencing any potential
current business risks concerning cybersecurity. For example, despite the fact
you believe you have not experienced a material breach of your cybersecurity,
are you currently experiencing attacks or threats to your systems? If you have
experienced attacks in the past, please expand your risk factor in the future to
state that.
•
We note that your response suggests that you have, in fact, experienced thirdparty breaches of your computer systems that did not have a material adverse
effect on the Company’s operations. In order to place the risks described in your
current risk factor in appropriate context, in future filings please expand your
disclosure to state that you have experienced cyber attacks and breaches.
In addition, the SEC’s guidance advises that companies may need to disclose known or
threatened cyber incidents together with known and potential costs and other consequences.
Companies in targeted industries that have not yet suffered a cybersecurity incident (or are
not yet aware that they have suffered an incident) should consider disclosing how the
company might be impacted by a cybersecurity incident -- even if no specific threat has been
made against the company. Below are sample summary comments received by companies
based on their particular industry or peer disclosures:
•
We note press reports that hotels and resorts are increasingly becoming a target
of cyber attacks. Please provide risk factor disclosure describing the
cybersecurity risks that you face. If you have experienced any cyber attacks in
the past, please state that fact in the new risk factor in order to provide the proper
context.
•
Given that other companies in your industry have actually encountered such risks
from cyber attacks, such as attempts by third parties to gain access to your
systems for purposes of acquiring your confidential information or intellectual
4
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company Might be The Next Target
property, including personally identifiable information that may be in your
possession, or to interrupt your systems or otherwise try to cause harm to your
business and operations and have disclosed that such risks may be material to
their business and operations, please tell us what consideration you gave to
including disclosure related to cybersecurity risks or cyber incidents.
•
We note that the incidences of cyber attacks, including upon financial institution
or their service providers, have increased over the past year. In future filings,
please provide risk factor disclosure describing the cybersecurity risks that you
face. In addition, please tell us whether you have experienced cyber attacks in
the past. If so, please also disclose that you have experienced such cyber
attacks in order to provide the proper context for your risk factor disclosure.
3. Be Specific. The SEC staff has advised that companies should avoid boilerplate
language and vague statements of general applicability. In particular, the guidance
states that companies should not present risks that could apply to any issuer or any
offering and should avoid generic risk factor disclosure. In addition, the guidance
states that companies should provide disclosure tailored to their particular
circumstances and avoid generic boilerplate disclosure. Companies that offer
generally applicable statements may expect to receive comments such as the
following:
•
You state that “Like other companies, our information technology systems may
be vulnerable to a variety of interruptions, as a result of updating our SAP
platform or due to events beyond our control, including, but not limited to, natural
disasters, terrorist attacks, telecommunications failures, computer viruses,
hackers, and other security issues.” Please tell us whether any such events
relating to your cybersecurity have occurred in the past and, if so, whether
disclosure of that fact would provide the proper context for your risk factor
disclosure.
•
We note that you disclose that you may be vulnerable to breaches, hacker
attacks, unauthorized access and misuse, computer viruses and other
cybersecurity risks and events. Please tell us whether you have experienced any
breaches, hacker attacks, unauthorized access and misuse, computer viruses
and other cybersecurity risks and events in the past and, if so, whether
disclosure of that fact would provide the proper context for your risk factor
disclosures.
4. Remember That A Vulnerability “Road Map” Is Not Required. Although the SEC
seeks disclosures that are sufficient to allow investors to appreciate the nature of the
risks faced by a company, it has made clear that the SEC does not seek information
that would create a road map or otherwise compromise a company’s cybersecurity.
At the outset of its guidance, the SEC staff states that it is mindful of potential
concerns that detailed disclosures could compromise cybersecurity efforts -- for
example, by providing a “road map” for those who seek to infiltrate a company’s
network security -- and that disclosures of that nature are not required under the
federal securities laws. The SEC guidance later reiterates that the federal securities
laws do not require disclosure that itself would compromise a company’s
cybersecurity.
5
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company Might be The Next Target
5. Consider Insurance. Network security alone cannot entirely address the issue of
cybersecurity risk; no firewall is unbreachable, and no security system is
impenetrable. Insurance can play a vital role in a company’s overall strategy to
address, mitigate, and maximize protection against cybersecurity risk. Reflecting this
reality, the SEC guidance advises that appropriate disclosures may include a
description of relevant insurance coverage that a company has in place to cover
cybersecurity risks. The SEC’s guidance provides another compelling reason for
companies to carefully evaluate their current insurance program and consider
purchasing “cyber” and data privacy-related insurance products, which can be
extremely valuable.9 In the wake of a data breach such as the recent Target breach,
for example, a solid “cyber” insurance policy may cover not only liability arising out of
potential litigation, such as defense costs, settlements, and judgments, but also
breach notification costs and other “crisis management” expenses, including forensic
investigation, credit monitoring, call centers, and public relations efforts as well as
potential regulatory investigations, fines, and penalties. Recent SEC comments have
requested information regarding both whether the company has obtained relevant
insurance coverage as well as the amount of the company’s cyber liability insurance.
Considering these five tips may assist companies in minimalizing the likelihood of receiving
an SEC comment letter (and possibly multiple rounds of comments) and, even more
importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a
cybersecurity incident.
9
Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data
Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at http://www.klgates.com/before-becoming-the-next-target--recentcase-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/
6
Cybersecurity Risk Factors:
Five Tips to Consider When Any Public Company Might be The Next Target
Authors:
Roberta D. Anderson
roberta.anderson@klgates.com
+1.412.355.6222
Katherine J. Blair
katherine.blair@klgates.com
+1.310.552.5017
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates practices out of 48 fully integrated offices located in the United States, Asia, Australia, Europe, the Middle East and South
America and represents leading global corporations, growth and middle-market companies, capital markets participants and
entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and
individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
©2014 K&L Gates LLP. All Rights Reserved.
7