Of course, guidance is just guidance unless the SEC, through its actions, gives it teeth. And the SEC has. Under Sarbanes-Oxley, the Division reviews every public compa- ny’s reports at least once every three years, and the Division has focused intensely on cyber disclosures since the Guidance— especially risk factor disclosures. Responding to a follow-up letter from Senator Rockefeller requesting that the SEC enshrine the Guidance as a formal SEC rule, Schapiro’s successor Mary Jo White took pains to stress that active staff review of cybersecurity—using existing disclosure rules—was an SEC priority. In her May 1, 2013 letter, White revealed that the Division had already issued approximately 50 cyber-related comment letters. And many more have been sent since then. Google, Amazon, AIG, Quest Diagnostics, and Citigroup are just some of the scores of public companies that received letters from staff urging enhanced disclosures of their cyber risks. The lessons we can learn from those exchanges are detailed below.
■ Tips for preparing 10-K and 10-Q cyber
disclosures
According to a recent survey by Willis, 87% of Fortune 500 companies claim to have complied with the Guidance. The SEC’s “enforcement” of it through com- ment letters has given it the muscle and imprimatur of a rule. Certain noteworthy trends that emerge from these letters follow:
Trend 1: Staff pushes for all cyber incidents to be disclosed—material or not. Materiality is the touchstone of disclosure. Even so, and even though the Guidance calls for disclosure of “cyber incidents... that are individually, or in the aggregate, material,”
enumerated material corporate events, such as termination of executive offi cers or chang- es in auditors, must be reported on a “current basis” on Form 8-K. However, no currently- existing securities law or rule expressly requires cyberattacks—material or other- wise—to be reported on Form 8-K. Generally, reporting cyber events is entirely voluntary. Companies that do so use Form 8-K’s Item 8.01, “Other Events,” which is used to volun- tarily report events that the company consid- ers to be of importance to investors. Public companies must navigate issues such as materiality, selective disclosure, trading, and effect on stock price, all in an environment where disclosure of a cyber event is almost sure to draw a lawsuit, a government investi- gation, or other unwanted scrutiny. No one- size-fi ts-all answer exists—it is almost always a judgment call. In this section, we detail some of the questions and analysis that com- panies should consider regarding whether to disclose an attack on Form 8-K, and if so, when. One way to think about these ques- tions is outlined in the decision tree on the next page (Figure 1).
Why consider disclosure if you don’t have to? Even if no rule mandates disclosure, companies and experienced counsel know that there are frequently upsides to disclo- sure—especially in a world where securi- ties litigation, derivative suits, and enforce- ment actions are lurking. Instead of pro- voking shareholder litigation, might an announcement ward it off? Can an 8-K eliminate a plaintiff’s or regulator’s argu- ment that an insider traded on the basis on material non-public information? The chart on the next page (Table 1) lays out some of the possible advantages—along with the more well-known disadvantages—that com- panies should consider.
Is the cyberattack material? The determina- tion of whether a cyber event is material is not clear-cut. First, the Supreme Court has rejected a bright-line, quantitative rule for materiality—instead reaffi rming Basic v. Levinson’s formulation that any nonpublic information that signifi cantly alters the total Trend 3: Staff is interested not only in the
disclosure, but the pre-disclosure process. As Chairman White has stated, even with the absence of a direct law or regulation directly compelling companies to adopt strict cybersecurity measure, the SEC is exercis- ing its power to indirectly prod companies to analyze and strengthen their cybersecu- rity programs through issuing disclosure guidance and bringing investigations, enforcement actions, and litigation against companies that fall short. In this way the SEC has taken on a larger mission than simply requiring disclosure—it is using its existing authorities to steer companies to engage in a deep, searching process to evaluate cyber risk. Whether or not you think the SEC is the appropriate regulator of this area, such a searching analysis is important to securing a company’s digital assets. Management should engage in and document its analysis of the effects of cyber incidents on the company’s operations, with special attention to probability of various types of attacks and their potential cost, from a quantitative and qualitative standpoint. It should do so not just to weather the storm of a possible SEC inquiry, but because such an analysis brings neces- sary executive-level oversight to a crucial area of enterprise risk.
Trend 4: Third-party risk is on the staff’s mind. Staff is encouraging companies to look beyond their four walls to the cyber risk posed by the use of vendors. Staff will ask whether the company’s vendors have experi- enced cyberattacks, and request assessment— and disclosure—if a breach at a third-party vendor could have a material effect on the company. The SEC likely believes that if public companies are required to disclose risks in their supply chain in addition to their own, third-party cybersecurity will improve as a result.
■ In the heat of battle: 8-K disclosure
questions during an attack
Of course, 10-Ks and 10-Qs are not the only reports public companies produce—certain
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
Really? Are you sure?
LEAN AGAINST 8-K DISCLOSURE
LEAN TOWARD 8-K DISCLOSURE
Will it trigger securities or other litigation or investigations? Will it compromise
security?
Will the disclosure itself harm the company?
Will insiders trade while in possession of
this information? Does it make prior statement misleading?
Does the cost and consequence of the breach
substantially affect you or your financial outlook?
Yes Not sure Not sure Maybe not Yes Yes Yes Yes Yes Yes Yes Yes Yes No No Yes No No Yes No No No No No No No Is it material?
Will you disclose anyway via website, to third parties, etc.?
Is discovery of the breach (by the gov't or public)
likely or inevitable? Is there a separate
obligation to disclose? (state PII laws, trading
rules)?
Is there a potential Regulation FD issue?