It’s hardly news that data breaches of just about every type are on the rise—in frequency, sophistication, and risk impact. From personal financial and healthcare information to intellectual property and trade secrets, cyber-theft and cyber-sabotage show no signs of abating.
And it’s not just from teenaged hackers toiling away in far-flung corners of the globe. Transnational organized criminals—sometimes in concert with nation states, sometimes acting alone—continue to score massive attacks against a wide variety of targets.
Unfortunately, many companies don’t fully grasp the threats they face, perhaps viewing cybersecurity as essentially “an IT thing.” Not only does this (mistaken) perception increase an organization’s potential exposure to attack, it also widens the gap between those charged with protecting the enterprise and those whose obligations include maintaining strong corporate governance and ensuring shareholder returns.
And with the damage being regularly wrought on even some of the supposedly best-protected defenses, governance is very much the point. It’s not just businesses and customers who are on the hook. In an era where digital assets hold an ever-greater share of a company’s market value, investors, too, have a strong interest in knowing how, and how well, companies are managing their cyber-operational risks.
US states, as well as foreign governments and regulators, have responded to this increasingly pressing issue with a variety of data breach laws and/or regulations intended to protect consumer information. The US Securities and Exchange Commission, too, has recently issued updated guidance applicable to SEC registrants.
Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. . . In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.
As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data, or operational disruption.
Beyond disclosure, companies will also need to account for, and disclose, the costs of a breach in a timely manner. Failure to do so can create significant whistleblower risk—which the SEC’s bounty program exacerbates.
These new guidelines constitute a strong signal that companies need to take their cybersecurity efforts seriously. Not only do the guidelines create SEC enforcement risk, they can serve as a yardstick for the class action bar in seeking to prove liability. And regulatory tea leaves suggest that, with the accelerating risk that cyber-threats now pose to shareholders and investors, the SEC will continue to assume more prominence in this space. Responding to SEC guidance is gaining board-level traction.
Still, the task of meaningfully describing the potential risk in public filings—and, in the event of a breach, the potential impact on the securities—is challenging for many registrants, even those who have already felt the sting of a cyber-attack. General Counsel and compliance leaders, hand-in-hand with C-Suite partners, will likely need help determining what, how, and when to disclose information regarding the potential for a cyber-attack—and how such an attack might impair their operations and valuation.
On the plus side, there is growing interest in the National Institute of Standards and Technology (NIST) Cyber Security Framework, a public-private initiative that will hopefully lead to improved security. The NIST framework will help registrants move in a single direction—a beneficial step as companies prepare to develop plans to mitigate and recover from breaches, and a demonstration of reasonable cyber-risk management.
It’s clear that the Internet, Cloud, mobile, and various other technologies are greasing the wheels for the propagation of cyber-crimes of all kinds. It’s equally clear that security is not likely to outpace the innovation that enables advances in productivity and cost savings—the very virtues that make companies desirable targets.
Cyber-attacks, in other words, are never going away. Viewed in this context, the new SEC guidance on cyber-disclosure is a natural evolutionary step in addressing this systemic risk. Still, it is only a step. Compliance alone is not a silver bullet. It should be viewed as the cornerstone of a new framework for managing registrant risk—one that embeds both vigilance and continuous improvement into corporate strategy, in cooperation with regulators and forward-thinking entities such as NIST.
It can be challenging for a public company and its leaders to incorporate these kinds of evolutionary process improvements into their business strategies while navigating the full range of cyber-risks alone. Are you prepared?
 Securities and Exchange Commission, Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm