Whether they’re in banking, retail or the defense industry, companies from a huge array of sectors face a diverse array of cybersecurity risks every day from parties that seek to steal information or intellectual property to disrupt company operations or corrupt data.
An April 2011 attack on Sony’s PlayStation Network compromised personal customer data from more than 100 million accounts, forcing the network to shut down for a month. The Goldman Sachs Group Inc. quickly realized it was a victim in 2009 when a computer programmer on his last day of employment with the company stole proprietary software to shop it to his new employer. In January 2010, Google Inc. said it was the victim of attackers seeking information on Chinese human rights activists, in an attack that also targeted 20 other companies across various industries. And participants in the amorphous hacking group Anonymous targeted a string of corporate websites in 2010 and 2011 with distributed denial of service (DDoS) attacks, which overwhelm networks and crash systems.
“The configurations are kind of endless,” says White & Case Partner William Currier, a former assistant regional director of the Securities and Exchange Commission (SEC) and senior trial counsel. “You can just feel the rising tide of danger.”
In response to this danger and to pressure from legislators, on Oct. 13, 2011, the SEC’s Division of Corporation Finance issued guidance on disclosure obligations as they relate to cybersecurity risks and cyber incidents. Although the guidance creates no new requirements, it makes clear that the agency expects public companies and other SEC-reporting companies to have undertaken an assessment of the risks they face, the consequences that may occur in the occasion of a cyber event and how they might respond.
A group of five U.S. senators, including John Rockefeller, chairman of the Commerce, Science and Transportation Committee, sent a letter to SEC Chairman Mary Schapiro in May 2011 requesting such interpretive guidance to address investor confusion and reporting inconsistencies by clarifying how existing disclosure requirements pertain to information security risk. They cited a 2009 survey by insurance underwriter Hiscox, which found that 38 percent of Fortune 500 companies made a “significant oversight” by failing to mention privacy or data security exposures in their public filings.
The senators wrote, “Securing cyberspace is one of the most important and urgent challenges of our time. … In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk.”
And if corporate leaders fail to make adequate disclosures, Currier says this guidance lays the blueprint for further action in the future.
“From my enforcement perspective,” he says, “these guidelines set up the situation where the SEC’s going to bring an enforcement action against some company for making false or misleading statements about cybersecurity and exposure inside a major U.S. or non-U.S. company that failed to provide necessary notifications, and then experienced a massive breach. I can’t say that tomorrow there will be an enforcement case, but the SEC doesn’t write about stuff it’s not concerned about.”
In its guidance, the SEC reminds companies of several specific disclosure obligations that may require a discussion of cybersecurity risks and incidents. One area the guidance addresses is risk factor disclosures, if cyber incidents “are among the most significant factors that make an investment in the company speculative or risky.”
To make that determination, the SEC says it expects public companies to evaluate their cybersecurity risks, the probability of cyber incidents occurring, and the quantitative and qualitative magnitude of those risks, including costs and other consequences—for instance, misappropriation of sensitive information, corruption of data or operational disruption.
The other disclosure obligations the SEC outlined covered MD&A (Management’s Discussion and Analysis of financial condition), Description of Business (if a cyber incident materially impacts the viability of, for example, a new product), Legal Proceedings (as they relate to a cyber incident) and Financial Statement Disclosures (if a cyber incident has an impact on financial statements).
The guidance recognizes that one of the challenges for companies that disclose will be to balance the need for detailed disclosures with some measure of secrecy, so that they avoid laying out a road map for potential attackers. The SEC emphasized that it won’t require disclosures that could compromise cybersecurity efforts.
Colin Zick, a partner at Foley Hoag, says that the cybersecurity expertise within companies can vary considerably. “You’ll see a similarly diverse set of responses to this guidance,” he says. “If you work for a small public company that interacts with consumers, you might not be thinking about cybersecurity, so the purpose of a guidance like this is to make you think about it and remember that you have an obligation there.”
Now that the SEC staff’s initial views are in writing, the agency is likely to keep a close eye on disclosures that come out in the next year, says Michael Hermsen, a partner at Mayer Brown. “If the SEC thinks there are inadequacies or inconsistencies, we might see further action, in line with some sort of rulemaking or more specific interpretive guidance,” he says.
For now the guidance serves as a reminder, a framework and perhaps as a sign of things to come as more companies face data and network security breaches, and the attendant consequences—which can be costly.
Sony estimated that it would cost $171 million to rebuild its computers and to compensate customers and provide them with credit protection services and an analyst at Wedbush Morgan estimated that the network outage cost the company about $10 million per week. Plus Sony was slow to share information about the breach with its customers, badly tarnishing its reputation. “That case illustrates a readily apparent risk not addressed ahead of time,” Currier says.