BreachExchange mailing list archives
SEC activity trends in cybersecurity and securities law
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 14 Apr 2015 19:07:08 -0600
http://www.insidecounsel.com/2015/04/14/sec-activity-trends-in-cybersecurity-and-securitie As with many agencies, cybersecurity concerns are a top priority at the Securities and Exchange Commission (SEC). From the publication of staff guidance in 2011 regarding the disclosure implications of cybersecurity-related threats and incidents, to recent examinations of more than 100 broker-dealers and registered investment advisers with respect to cybersecurity preparedness and the incorporation of cybersecurity considerations in its enforcement activities, the SEC has taken a multi-faceted approach to cybersecurity threats facing public companies, investors and the markets more generally. The following is a summary of the key trends in SEC activity relating to cybersecurity that impact public companies. Cybersecurity disclosures Federal securities law does not explicitly require issuers to disclose cybersecurity breaches, much less failed breaches, of cybersecurity defenses. Notwithstanding the absence of a specific line item or form prescribing such disclosure, SEC guidance and market practice dictate that companies consider making disclosures about material cybersecurity incidents. Specifically, SEC staff guidance from 2011 highlights the need for companies to consider whether cybersecurity risks or cyber events warrant disclosure in their periodic reports. There were six principal areas for potential disclosure requirements identified by the SEC staff in 2011 that could be implicated by a cybersecurity incident: a company’s risk factor disclosures, description of business, management discussion and analysis (MD&A), legal proceedings, financial statement disclosures, and disclosure controls disclosures. The first of these potential disclosure areas, the risk factors, is where many companies address cybersecurity risks. Cybersecurity risk factors commonly address issues such as the risks associated with: Reliance on information technology systems and networks Exposure to third party service providers that manage company systems and networks Receiving, storing, processing and transmitting sensitive information pertaining to a company’s business, customers, dealers, suppliers and employees Denial of service attacks, internal and external security breaches, computer malware and other cyber attacks The lack of adequate insurance coverage, potential legal or regulatory sanctions resulting from cybersecurity incidents, and reputational damage with customers, dealers and suppliers resulting from cybersecurity incidents Since 2011, the SEC has issued comment letters regarding cybersecurity to a number of companies; these letters often seek new or better risk factor disclosure regarding cybersecurity. A common comment asks a company whether it has experienced any cyber attacks and, if so, to revise the disclosure to “provide the proper context” for the company’s general risk factor disclosures. See, for example, SEC comment letter sent to Meredith Corp in February 2014. The SEC also actively monitors press coverage of public companies and has, in some instances, asked companies specific questions about their exposure to cyber risk as a result of that press coverage. Cybersecurity disclosures in other areas of a company’s periodic reports are less common; however, companies that have experienced major cyber attacks often disclose such attacks and the impact of those attacks in their discussion of trends and uncertainties in the MD&A sections of their periodic reports. such as the MD&A disclosures by Target Corporation in its Form 10-K for the period ending January 31, 2015. SEC enforcement activity Senior officials in the SEC’s enforcement division have indicated that cybersecurity is “high on [the SEC’s] radar screen.” The staff appears to be backing this and similar statements with action—we are aware of several SEC investigations in which the staff appears to be taking the position that the failure to adequately disclose the existence and effects of a successful cyber attack in a company’s public disclosures may violate federal securities law. The staff also appears to be taking the position that such a failure may reflect a shortcoming in a company’s disclosure controls and procedures, which are supposed to result in the timely disclosure of material information. We understand that the staff also may be pursuing a theory of liability based on perceived shortcomings of a company’s internal control over financial reporting, where the SEC’s rules require that a company develop a process to provide, among other things, “reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.” Some SEC staff members have expressed the view that a company’s failure to prevent a successful cyberattack that could have involved material assets could demonstrate a failure to comply with these internal control requirements. While these theories of liability are thus far untested, in-house counsel should consider incorporating disclosure and internal controls considerations into processes for responding to data security breaches. For example, a company that has experienced a significant cybersecurity breach may wish to engage with its auditors to discuss whether a data security breach reflects a weakness in its internal control over financial reporting and whether any changes in response to the breach will result in material changes to its internal control over financial reporting. Conclusion In her opening remarks at the SEC’s 2014 roundtable regarding cybersecurity, Chair White called cybersecurity threats a global issue of “extraordinary and long-term seriousness” and emphasized the SEC’s commitment to the issue. As reflected by the activities described above, the SEC staff is affirmatively engaging with companies and the markets on cybersecurity matters. Given the pervasiveness of cybersecurity issues generally, it is unlikely that these efforts will subside anytime soon. Also, despite having issued the 2011 cybersecurity guidance, the SEC continues to face pressure from outside sources, including Congress, the White House and the public, to go further. For these reasons, we don’t expect to see any dimming of the SEC’s spotlight on cybersecurity disclosures.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- SEC activity trends in cybersecurity and securities law Audrey McNeil (Apr 21)