Less than a month after Sony Corporation was forced to shut down its PlayStation network by hackers who stole users' information, a group of Democratic senators wrote to the Securities and Exchange Commission (SEC) asking it to issue guidance requiring companies to disclose when they have suffered a major network attack.
The group of senators included Senate Commerce Committee Chairman Jay Rockefeller. The May 11, 2011, letter noted that a substantial number of companies do not report security risks to investors. Citing a 2009 survey conducted by Hiscox, an insurance underwriter, the senators noted that 38 percent of Fortune 500 companies made a "significant oversight" by not mentioning privacy or data security exposures in their public disclosures. The senators also noted that, among those companies that did make a statement about risks, none provided information on steps taken by the corporation to reduce risk exposure.
The senators asked the SEC to clarify disclosure requirements and publish interpretive guidance clarifying disclosure requirements pertaining to security risks and security breaches involving intellectual property or trade secrets. They also asked the SEC to examine how important market participants, such as credit rating agencies and securities analysts, consider security risks when assessing companies and investment products. According to the senators, issuing such guidance will "enhance investor and corporate awareness of information security risk, thus improving the national security of our nation."
CF Disclosure Guidance
On October 13, 2011, the SEC issued a CF Disclosure Guidance relating to cyber-security risks and cyber incidents.1 In its overview of the impact that cyber-security risks have on an organization, the SEC noted that the consequences may include:
remediation costs related to liability for stolen assets or information and repairing damage that may have been caused;
increased cyber-security protection costs that may include organizational changes, deploying additional personnel, training employees, and engaging outside experts and consultants;
reputational damage adversely affecting customer or investor confidence.
Prior to the Guidance, publicly traded companies were not required to report in their SEC filings if a computer security incident had occurred or if they had fixed the problem. Starting in 2012, however, publicly traded companies must acknowledge the cyber attacks to regulators and explain the measures they plan to take to close their cyber-security gaps. Before the Guidance, only certain sectors of the economy were required to report cyber attacks. Banks are required to report any cyber intrusions to the Department of the Treasury. In the healthcare sector, companies are required to report data breaches to the Department of Health and Human Services.
The Guidance states that public companies should disclose the risk of cyber incidents if these issues are "among the most significant factors that make an investment in the company speculative or risky."2 Consistent with the Regulation S–K Item 503(c) requirements for risk factor disclosure generally, cyber-security risk disclosure provided must adequately describe the nature of the material risk and specify how each risk affects the company.
Management's Discussion and Analysis
In their disclosure, companies should address cyber-security risks and cyber incidents in their Management's Discussion and Analysis if the costs or other consequences associated with one or more incident or risk of potential incidents represents a material effect on the company's operations, liquidity, or financial information. If it is reasonably likely that the cyber incident will lead to reduced revenues or an increase in cyber-security protection costs, including litigation-related costs, the company should discuss these potential outcomes. The company should also include a discussion of the amount and duration of the expected costs, if material.
Description of Business
The Guidance provides that if one or more cyber incidents materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, the company should provide disclosure. The Guidance also provides that a company must disclose the risks in its "Description of Business"3 and in its report on legal proceedings.4
Disclosure Controls and Procedures
Companies are required to disclose conclusions on the effectiveness of disclosure controls and procedures. If the cyber incidents pose a risk to a company's ability to accurately report, a company should disclose that its controls and procedures are ineffective.
The new disclosure requirements may impact a company's contractual relationships and its ability to import personal data. This is particularly true in transactions involving companies established in the 27 member states of the European Union (EU). In order to import and process personal data from the EU, many U.S. companies have entered into data-protection agreements that require adequate controls to be put in place to protect personal data.
The EU's standard contractual clauses5 require companies established outside of the EU to have in place "technical and organizational security measures" aimed at protecting personal data against "accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing." Appendix 2 of these standard contractual clauses requires the non-EU company to describe the technical and organizational security measures it has in place. The non-EU company must also notify the EU company of any inability to comply with the requirements.
U.S. companies making the disclosures required by the Guidance may well run into problems with their contractual obligations. It is not difficult to envision that disclosures of risks as required by the Guidance may well lead to claims that the U.S. company is not in compliance with its obligations under the standard contractual clauses. This could disrupt a company's ability to transfer personal data from its own affiliated entities in the EU. Such an interruption could have a significant financial impact on a multinational company.
The new disclosure requirements may directly impact the value of a company's stock, its contractual relationships, and its ability to freely import personal data. Ironically, the required disclosures may also increase cyber risks by providing a "road map" for hackers to bypass a company's defenses. If a company fails to disclose cyber risks, however, it will face potential penalties from the SEC as well as breach of contract claims.
Publicly traded companies are going to have to be much more aware of information security risks. As investors, credit rating agencies, and securities analysts also become more aware, they will no doubt increase pressure on companies to take cyber security seriously. Whether this increased awareness will achieve the senators' lofty goals of "improving the national and economic security of our nation," however, remains to be seen.
5 Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.