The watershed moment that all companies feared when the Securities and Exchange Commission published its first guidance on cybersecurity disclosure under the federal securities laws in 2011 has arrived. We have long been aware of the liability risks under the federal securities laws for cybersecurity incidents, including for the timeliness of incident disclosures, statements and/or omissions regarding prior or ongoing incidents, risk factor disclosures, public statements about cyber policies or programs, statements regarding legal compliance with data privacy and state user-notification laws, and insider trading. This includes control-person liability for directors and officers, aiding and abetting liability, and (most recently) liability for faulty or insufficient internal controls even in the absence of fraud or material misstatements.
Yet, for almost half a decade, the SEC and the Department of Justice did little in the way of scrutinizing companies that were the victims of sophisticated cyberattacks, other than repeatedly announcing that cybersecurity was a priority. That all has changed, as the SEC recently took the unusual step of confirming that it is conducting an investigation of Yahoo! in what is widely considered the largest breach in history, and with other unconfirmed reports of investigations of Equifax and previously of Target. Recent comments from SEC officials seem to suggest that the SEC is pursuing an aggressive theory that requires disclosure-namely to ensure that prior statements, particularly risk factors, are not rendered misleading. And, yet, this is one cybersecurity risk that can be mitigated. After discussing the legal landscape, we suggest how.
The SEC Gets Serious
Notwithstanding ongoing investigations, outside the broker-dealer context, the SEC has yet to file charges against a public company or its directors and officers over a cybersecurity breach or incident. That said, SEC Chairman Jay Clayton upped the ante recently, announcing that, “[p]ublic companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously.”
On its face, this is an aggressive position for the SEC to take. With respect to public statements, it is bedrock law that companies do not have a legal duty to disclose information-even if it is material- unless one of three general conditions is met:
* The Company is trading on the information (such as a stock buyback),
* A statement (or omission) would render a prior statement materially misleading, or
* Disclosure is expressly required by an SEC regulation.
Complicating the situation, however, is that there are an array of non-federal securities laws requirements that require disclosure to individuals or government agencies of certain instances of unauthorized access or acquisition of personal information, such as state data breach notification requirements and regulatory regimes, such as under the Graham-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Defense Federal Acquisition Regulation Supplement (DFARS), and others.
Setting aside non-federal securities law obligations, which do not clearly give rise to disclosure duty under the federal securities laws, the key to understanding the SEC’s renewed vigor lies in the oft-cited October 2011 Division of Corporate Finance “CF Disclosure Guidance: Topic No. 2, Cybersecurity” guidance on cybersecurity disclosures (“SEC Cybersecurity Guidance”). As is relevant here, the SEC Cybersecurity Guidance states:
a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.
The SEC Cybersecurity Guidance goes on to say that disclosure may be required prior to any actual cyber attack or incident, as well as during and after an incident. Specifically, for prior or ongoing incidents -and this is key- the SEC Cybersecurity Guidance states that a company:
may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.
Given recent comments from various SEC officials, there is a strong undercurrent that the SEC may be construing this to mean that companies with robust cybersecurity risk factors must consider whether and to what extent those risk factors are rendered materially misleading because an incident has occurred. In other words, the duty to disclose arises out of the need to ensure that risk factors are not misleading, when a breach is discovered.
And, despite the fact it conflicts with bedrock law and Supreme Court precedent, the Commission’s new interpretive guidance issued on February 21 states that companies have an obligation to disclose a cyber incident under the federal securities laws even if it does not render a prior statement materially misleading. The new interpretive guidance also requires public companies to address the issues that surfaced in the Equifax breach, such as revising insider trading policies and blackout periods to address stock trading by corporate insiders between the time when the company has discovered a breach and when it is publicly disclosed, evaluating disclosure controls and escalation procedures for cyber incidents, and requiring corporate leaders to assess the potential impact of an incident on its business, operating results, reputation and stock price.
Key Steps Companies Can Take Now
What does this all mean, and what should companies consider? To ensure compliance with disclosure obligations and minimize the risk of charges for violations of the federal securities laws, companies, boards and management should consider taking the following actions:
Identify – Public Disclosures: Companies should carefully scrutinize all public statements about cybersecurity before, during and after an incident to avoid misstatements and reduce the risk of securities law violations. This should include cybersecurity risk factor disclosures, MD&A and other areas of SEC filings specified in the SEC’s 2011 Cybersecurity Guidance, press releases, earnings call scripts, and seemingly innocuous statements in privacy policies, terms of service, and in statements posted to security blogs or social media (particularly regarding bug bounty programs). Companies should also assess the materiality of cybersecurity incidents and memorialize their assessment in a SAB 99-like memorandum for later use should the SEC second-guess the company’s decision not to disclose the incident. The materiality assessment should take into account both quantitative and qualitative factors such as: the response and remediation costs including investigation costs, costs of notification and (where required) credit-monitoring type services; liability for stolen assets or information; the repair of system damage that may have been caused; incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack; increased cybersecurity protection costs such as organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; litigation; and reputational damage adversely affecting customer or investor confidence.
Finally, when making disclosures under the state data breach laws, companies need to ensure they are not violating Regulation FD.
Protect – Personal Liability: Because directors, executive management and even CIOs and CISOs are increasingly being terminated and finding themselves in the cross hairs of complicated internal investigations, litigation, and regulatory investigations, it is ever more important that these individuals become more familiar with post-breach response, investigations, and litigation. Post-incident response activities will be key, including documenting their work and decisions, consulting with SEC disclosure counsel about the incident, and evaluating existing insurance coverage.
Detect – Policies, procedures and critical mapping: As part of companies’ ongoing cybersecurity program assessments (risk assessments, periodic policy/procedures reviews, etc.), they should also assess their disclosure controls and procedures to provide reasonable assurance that cybersecurity incidents and breaches are escalated to executive management and the legal department to decide if disclosure pursuant to the federal securities laws (not just state data breach or contractually required notification) is necessary. Key for public companies in being able to properly disclose cybersecurity risks, is identifying them and ensuring that management is sufficiently aware of the risks to be in a position to determine whether, and to what extent, they should be disclosed. Having reasonably designed disclosure controls and procedures in place make that possible. Strong disclosure controls and procedures also enhance defenses against claims challenging the accuracy of the company’s SEC disclosures or its efforts to monitor and disclose cybersecurity incidents.
Respond – Incident Response Plans: Companies should also make sure that their incident response plans coordinate communications, legal, and management teams’ actions before, during and after an incident to avoid misstatements and potential insider-trading liability. For example, the company’s incident response plan should make reference to disclosure controls and procedures that incorporate escalation of cybersecurity incidents and coordination with SEC disclosure counsel and the company’s disclosure or other applicable committees. In addition, companies should consider implementing an event-specific trading blackout period that prohibits specified individuals from trading in company stock after the company identifies a cyber incident and keep it in place until the company has completed its investigation of the incident and determines that it is not material and/or disclosed it when appropriate. The blackout period should be cross-referenced in the company’s insider-trading policy and incident response plan.
Recover – Remediation: Post-incident, companies should focus on remediating vulnerabilities and security control weaknesses that allowed unauthorized access to, or acquisition of, data and information assets. Too often, in the aftermath of a breach, companies have failed to address security issues and enhance surrounding and compensating controls, which have unfortunately led to follow-on security incidents. In the eyes of regulators, this is the cardinal sin that can be avoided.
With the SEC requesting a bigger budget in 2018, and dedicating more and more resources on cybersecurity matters, this should be an area of focus for companies and their officers and directors going forward. While a data breach may be unavoidable, legal liability in the aftermath of a breach is not.
Ken Herzinger is chair of Orrick, Herrington & Sutcliffe LLP’s white collar and securities litigation practice, and a former SEC enforcement attorney. Aravind Swaminathan is co-chair of Orrick’s global cyber, privacy and data innovation practice.