Cybersecurity affects everyone, from the government to private and public companies and their investors. Technology connects us, yet security issues can wreak havoc on financial markets. According to Cisco's 2017 Annual Cybersecurity Report, "over one-third of organizations that experienced a breach in 2016, reported revenue loss of more than 20 percent." After an incident, a company may lose clients and suffer a damaged reputation. This threat will only continue to grow. How a company prepares for, and responds to, cybersecurity is critical. Diligent and transparent disclosure is key for a company to inform investors and the market. John Beckman, from Hogan Lovells, shares his expertise and practical advice on cybersecurity disclosure in our recent podcast. See the April Dimensions issue for more information on the SEC’s current guidance for reporting companies.
SEC EDGAR breach and lessons learned
On September 20, 2017 the SEC announced the EDGAR filing system was compromised in 2016. SEC Chair Jay Clayton stated: “Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.” Many public and private companies have experienced data breaches affecting millions of people across the world. Consumers trust companies to store and secure their personal data. The SEC also hosts large amounts of secure data, some confidential and some public. As Clayton emphasizes, cybersecurity risk and response is a reality for regulators and companies.
In 2011, the Division of Corporation Finance issued guidance for companies regarding cybersecurity. Under Clayton, the SEC expanded this guidance in February 2018. The recent release carries the full weight of the SEC and not just Corp Fin, emphasizing how seriously the Commission views the matter. Several serious data breaches in recent years were not reported quickly or clearly. In April, the SEC charged Yahoo regarding one of the world's largest data breaches. Interestingly, the SEC order doesn’t specifically fault Yahoo for the incident, only their response. The SEC charges focus on their lack of proper controls. Yahoo did not inform their auditors nor outside counsel to assess their disclosure obligations and did not mention the breach in any of their 2015 and 2016 quarterly and annual reports.
Cybersecurity disclosure needs to be effective and transparent
Effective and transparent cybersecurity disclosure comes in two phases: before and after an incident. Cyber disclosure should be woven throughout a company’s ongoing reporting: in their MD&A, risk factors, control policies, financials, and more depending on the circumstances. This framework provides the structure for how a company should respond and report during and after an incident. The SEC Investor Advisory Committee noted that many companies only report boilerplate language regarding their efforts to secure their services, products and data. Jina Choi, Director of the SEC's San Francisco Office observed “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
There are several specific disclosure areas to consider in the light of a cybersecurity incident.
- Insider trading draws headlines. Companies should have existing protocols in place to prevent any questionable Section 16 transactions after an incident is detected. John Beckman advises that: “The SEC is concerned about trading in advance of the company’s announcement of a cyber incident. They expect the application of trading prohibitions even before decisions have been made on materiality. Notably, the SEC cautions companies to consider the appearance of trading in advance of such announcements.“
- Form 8-K is used to inform investors of significant events and issues between 10-Q and 10-K filings. An 8-K filing is generally due within four days after the event being reported. It may take time to detect and investigate an incident. However, the SEC guidance “encourages companies to continue to use Form 8-K to disclose material information promptly, including disclosure pertaining to cybersecurity matters. This practice reduces the risk of selective disclosure, as well as the risk that trading in their securities on the basis of material non-public information may occur.”
- After an incident, companies should clearly disclose in their periodic reports the impact and plans to prevent recurrences. Financial statements should clearly reflect any losses in revenue and costs to mitigate a data breach.
SEC disclosure is a question of “materiality” - will a shareholder find the information affects their decision to invest. The SEC makes it clear that they do not want to scrutinize a company’s response to a data breach but will be watching and will act when needed. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to an event could be so lacking that an enforcement action would be warranted,” said Steven Peikin, Co-Director of the SEC Enforcement Division.
According to John Beckman, successful recovery after an issue depends on how the company reacts and reports.“Once a company experiences a major cybersecurity incident, many constituents, including the SEC, government regulators, Congress, customers and shareholders, will demand transparency.Companies that are able to respond with meaningful disclosure about what happened, what the company did in response, and what the company is doing to ensure it won’t happen again, will be better off. The next proxy statement after a major cybersecurity incident is usually the place where the Board can be transparent and walk people through the Board’s and the Company’s response to the incident and risk oversight improvements.”
Listen to the podcast for more insights.