Notes on Disclosing Cybersecurity Lapses
Today let’s return to the issue of disclosing cybersecurity issues to investors, because, frankly, so many companies still struggle with exactly what to say in securities filings. That issue came up at the Securities Enforcement Forum last week and we have some excellent insights to share with the class.
First let’s note that the Securities and Exchange Commission does take enforcement action against companies for ham-fisted disclosure of breaches. We’ve seen two actions this year alone: against First American Financial Corp. in July, and against Pearson Corp. in August. Neither action resulted in significant penalties, but that doesn’t mean the SEC won’t step up its attention to cybersecurity disclosure flubs in the future.
Second, let’s also remember that new rules or guidance from the SEC are forthcoming. The issue is already on the SEC’s rulemaking agenda, and SEC commissioners do talk up the importance of paying heed to cybersecurity on a regular basis; Republican commissioner Elad Roisman outlined his views on the challenge just the other week.
So publicly traded firms do need to think about the cybersecurity breaches and ensuing responses that are happening within your enterprise; and to what extent that activity needs to be disclosed to investors in a timely manner. It’s tricky terrain. Hence the session last week at the enforcement forum.
The key issue, as laid out by speakers in a session focused on cybersecurity, is building an effective process for disclosure, which means bridging the gap between IT and disclosure personnel. Indeed, while SEC guidance on cybersecurity uses the phrase “disclosure controls and procedures” to describe what a company must have in place, the agency is really talking about a process for relevant groups in your enterprise to get together, develop a common understanding of the severity of the breach, and determine what should be disclosed to investors.
Typically those relevant groups will include the IT, legal, compliance, and finance teams; perhaps with investor relations and a few other functions tagging along for good measure. The main point is the company needs to have a structured process for that communication to happen — not some ad hoc group convened in a panic, or an unstructured process where unscrupulous executives exert power to fudge critical details or hide them from investors.
A Process to Do What, Exactly?
The SEC guidance does have advice on what your disclosure process should do: “provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
Let’s break down that sentence into its component parts.
If a company wants to “discern the impact” of a breach, it will need several capabilities. For example, it will need some basic amount of forensic capability, simply to understand what happened. Did thieves access only a few dozen customer records, or your entire customer data archive? Did they steal financial projections for the coming year, or design plans for your next flagship product? Did they disrupt minor systems with a ransomware attack, or mission-critical applications that brought operations to a halt?
Second, the company will need an ability to put that damage into financial and legal context. If the thieves accessed customers’ personal data, what regulatory obligations does that trigger for disclosure to harmed customers, privacy regulators, or the public in general? If your business is in critical infrastructure, does that ransomware attack trigger a duty to disclose the disruption to the feds?
To understand the financial context, at the very least the company will need an ability to estimate disaster recovery and remediation costs. Ideally, you’ll be able to do that because you already have a business continuity and disaster recovery plan, complete with lists of your most critical business processes and estimates of the dollar amounts lost per hour that those systems are off-line, or some other metric like that. Hence the importance of developing those continuity and recovery plans in advance; and running table-top drills from time to time; and re-assessing your risks regularly to ascertain what’s changed. Those prophylactic steps matter.
We also have the second part of that SEC guidance: “a protocol to determine the potential materiality of such risks and incidents.” Cybersecurity breaches can lead to a few types of material costs, such as:
- Lost revenues, such as from ransomware shutting down operations;
- Remediation costs, including forensic analysis, new equipment, audits, make-goods offered to customers, and re-engineered business processes;
- Regulatory investigations, monetary penalties, and civil litigation;
- Higher insurance premiums.
Clearly a lot of those materiality judgments will be subjective, based upon the knowledge and competency of senior executives. That’s OK, but it brings us back to the basic point of this point: that you need a process for clear communication between technical and disclosure personnel. Otherwise you risk making those subjective judgments with incomplete information or misunderstood perspectives, and nothing good will follow from that.
And while the securities forum panelists didn’t bring up this next point, I’d also say the subjective dimension to all this really underlines the importance of documentation, too. Write down what your process is, and when the inevitable cybersecurity event happens, write down how you reached the decisions you did. That will be invaluable should the SEC later come knocking at your door.
Bonus: Insider Trading Headaches
Cybersecurity breaches also bring up insider trading concerns. This has been a sore point with the SEC for years: that senior executives should not trade shares in advance of disclosing news about a cybersecurity breach.
SEC guidance doesn’t expressly say, “Thou shall not conduct insider stock sales while sitting on news of a cybersecurity event.” Instead, the guidance sticks with the agency’s usual hard-to-pin-down language to discuss insider trading generally:
Companies and their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches … [I]nformation about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.
Some compliance officers might say, “Ha! We don’t have to worry about insider trading headaches, because our company has a 10(b)5-1 plan for insider stock sales on a fixed schedule!” I’m not sure whether those plans will save your bacon.
I can’t help but recall warnings from former SEC chairman Jay Clayton (and others at the SEC), who said last year that 10(b)5-1 plans might not keep your senior executives out of trouble. Clayton’s take was that the company’s possession of material nonpublic information — like, say, a major cybersecurity lapse — could be enough to trigger insider trading liability, even if the senior executives themselves didn’t know about it. As he said last year:
A well-designed insider trading policy should have controls in place to prevent senior executives and members of the board of directors from trading once a company is in possession of material nonpublic information, even if an individual officer or director did not personally have knowledge of the information.
Cybersecurity events are especially prone to fit Clayton’s circumstances: the IT department might know about a breach but not tell disclosure staff about it; or the disclosure staff might misunderstand the facts and mistakenly conclude the event isn’t material.
So yet again, we’re back to the importance of clear communication among various parts of the business. Funny how that point keeps cropping up, isn’t it?