SEC activity trends in cybersecurity and securities law

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/04/14/sec-activity-trends-in-cybersecurity-and-securitie

As with many agencies, cybersecurity concerns are a top priority at the
Securities and Exchange Commission (SEC). From the publication of staff
guidance in 2011 regarding the disclosure implications of
cybersecurity-related threats and incidents, to recent examinations of more
than 100 broker-dealers and registered investment advisers with respect to
cybersecurity preparedness and the incorporation of cybersecurity
considerations in its enforcement activities, the SEC has taken a
multi-faceted approach to cybersecurity threats facing public companies,
investors and the markets more generally. The following is a summary of the
key trends in SEC activity relating to cybersecurity that impact public
companies.

Cybersecurity disclosures

Federal securities law does not explicitly require issuers to disclose
cybersecurity breaches, much less failed breaches, of cybersecurity
defenses. Notwithstanding the absence of a specific line item or form
prescribing such disclosure, SEC guidance and market practice dictate that
companies consider making disclosures about material cybersecurity
incidents. Specifically, SEC staff guidance from 2011 highlights the need
for companies to consider whether cybersecurity risks or cyber events
warrant disclosure in their periodic reports.

There were six principal areas for potential disclosure requirements
identified by the SEC staff in 2011 that could be implicated by a
cybersecurity incident: a company’s risk factor disclosures, description of
business, management discussion and analysis (MD&A), legal proceedings,
financial statement disclosures, and disclosure controls disclosures. The
first of these potential disclosure areas, the risk factors, is where many
companies address cybersecurity risks. Cybersecurity risk factors commonly
address issues such as the risks associated with:

Reliance on information technology systems and networks
Exposure to third party service providers that manage company systems and
networks
Receiving, storing, processing and transmitting sensitive information
pertaining to a company’s business, customers, dealers, suppliers and
employees
Denial of service attacks, internal and external security breaches,
computer malware and other cyber attacks
The lack of adequate insurance coverage, potential legal or regulatory
sanctions resulting from cybersecurity incidents, and reputational damage
with customers, dealers and suppliers resulting from cybersecurity incidents

Since 2011, the SEC has issued comment letters regarding cybersecurity to a
number of companies; these letters often seek new or better risk factor
disclosure regarding cybersecurity. A common comment asks a company whether
it has experienced any cyber attacks and, if so, to revise the disclosure
to “provide the proper context” for the company’s general risk factor
disclosures. See, for example, SEC comment letter sent to Meredith Corp in
February 2014. The SEC also actively monitors press coverage of public
companies and has, in some instances, asked companies specific questions
about their exposure to cyber risk as a result of that press coverage.

Cybersecurity disclosures in other areas of a company’s periodic reports
are less common; however, companies that have experienced major cyber
attacks often disclose such attacks and the impact of those attacks in
their discussion of trends and uncertainties in the MD&A sections of their
periodic reports. such as the MD&A disclosures by Target Corporation in its
Form 10-K for the period ending January 31, 2015.

SEC enforcement activity

Senior officials in the SEC’s enforcement division have indicated that
cybersecurity is “high on [the SEC’s] radar screen.” The staff appears to
be backing this and similar statements with action—we are aware of several
SEC investigations in which the staff appears to be taking the position
that the failure to adequately disclose the existence and effects of a
successful cyber attack in a company’s public disclosures may violate
federal securities law. The staff also appears to be taking the position
that such a failure may reflect a shortcoming in a company’s disclosure
controls and procedures, which are supposed to result in the timely
disclosure of material information.

We understand that the staff also may be pursuing a theory of liability
based on perceived shortcomings of a company’s internal control over
financial reporting, where the SEC’s rules require that a company develop a
process to provide, among other things, “reasonable assurance regarding
prevention or timely detection of unauthorized acquisition, use or
disposition of the issuer’s assets that could have a material effect on the
financial statements.” Some SEC staff members have expressed the view that
a company’s failure to prevent a successful cyberattack that could have
involved material assets could demonstrate a failure to comply with these
internal control requirements.

While these theories of liability are thus far untested, in-house counsel
should consider incorporating disclosure and internal controls
considerations into processes for responding to data security breaches. For
example, a company that has experienced a significant cybersecurity breach
may wish to engage with its auditors to discuss whether a data security
breach reflects a weakness in its internal control over financial reporting
and whether any changes in response to the breach will result in material
changes to its internal control over financial reporting.

Conclusion

In her opening remarks at the SEC’s 2014 roundtable regarding
cybersecurity, Chair White called cybersecurity threats a global issue of
“extraordinary and long-term seriousness” and emphasized the SEC’s
commitment to the issue. As reflected by the activities described above,
the SEC staff is affirmatively engaging with companies and the markets on
cybersecurity matters. Given the pervasiveness of cybersecurity issues
generally, it is unlikely that these efforts will subside anytime soon.
Also, despite having issued the 2011 cybersecurity guidance, the SEC
continues to face pressure from outside sources, including Congress, the
White House and the public, to go further. For these reasons, we don’t
expect to see any dimming of the SEC’s spotlight on cybersecurity
disclosures.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!