On September 26, 2016, Senator Mark R. Warner (D-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus, wrote a letter to the SEC requesting that they investigate whether Yahoo, Inc., fulfilled its disclosure obligations under the federal securities laws related to a security breach that affected more than 500 million accounts. Senator Warner also requested that the SEC re-examine its guidance and requirements related to the disclosure of cybersecurity matters in general.
The letter was precipitated by a September 22, 2016, 8-K and press release issued by Yahoo disclosing the theft of certain user account information that occurred in late 2014. The press release referred to a “recent investigation” confirming the theft of user account information associated with at least 500 million accounts that was stolen in late 2014. Just 13 days prior to the 8-K and press release, on September 9, 2016, Yahoo filed a preliminary 14A filing with the SEC related to the sale of Yahoo’s operating business to Verizon Communications, Inc., in which it stated that it did not have any knowledge of “any incidents of, or third party claims alleging… unauthorized access” of personal data of its customers that could have a material effect on the Verizon-Yahoo transaction.
The September 22 filing was the first disclosure by Yahoo of the hack and has raised many questions as to when it knew about the 2014 cyberattack and what its duties were to make public disclosure of same. The hack has also raised questions related to the SEC’s current rules and thresholds for how and when companies need to report a material data breach.
This blog provides a summary of the current SEC guidelines related to disclosures of cybersecurity risks and incidents as well as a summary of current disclosure practices among reporting companies.
SEC Guidance on Disclosure of Cybersecurity Matters
On October 13, 2011, the SEC issued a Disclosure Guidance related to cybersecurity risks and cyber incidents. The guidance attempts to find a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent. In that regard, the SEC is clear that disclosure of actual detailed security measures is not required. As with the rules on disclosure in general, companies must consider their specific facts and circumstances in determining the required disclosure, if any.
Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.
The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. A primary example of the latter is the famous hacking of the Sony Pictures Entertainment email system in 2014.
When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:
- Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
- Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
- Lost revenues from unauthorized use of proprietary information and lost customers;
- Litigation; and
- Reputational damage.
Consistent with all disclosure guidance, the SEC begins its guideline with the basic premise that the disclosure requirements are meant to “elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” With that said, as of the date of the guidance, and as of today, there is no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents.
However, as discussed further in this blog, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings and financial statement loss contingencies. Moreover, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.
Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. The SEC expects companies to “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.” In addition, companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident. Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur. Material actual threatened attacks may be material and require disclosure.
As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:
- Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences;
- Discussion of any outsourcing of functions that give rise to risks or preventative measures;
- Description of past incidents, including their costs and consequences;
- Risks of cyber-incidents that could remain undetected for a period of time; and
- Description of insurance coverage.
Management Discussion and Analysis (MD&A)
A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, increase in cybersecurity protection costs, and related litigation. Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.
Business Description; Legal Proceedings
Disclosure of cyber-related matters may be required in a company’s business description where they effect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement.
Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack. Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, breach of contract, product recall and replacement, indemnification or remediation. Furthermore, incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory.
Controls and Procedures
To the extent that cyber-matters effect a company’s ability to record, process, summarize and report financial and other information in SEC filings, management will need to consider whether there is a reportable deficiency in disclosure controls and procedures.
Disclosure in Practice
The Yahoo hacking incident resulted in numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.
As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, (thank you, thecorporatecounsel.net), a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.
My opinion (which was also Mr. LaCroix’s opinion and that of most of the industry) is that companies are relying on the materiality standard to avoid disclosure of cyber-incidents. Most public-company hacking involves large organizations that can reasonably make the judgment call that the incident and its effects are not material to investment decisions. See HERE for a discussion on materiality.
In 2011, at the time of the SEC release, there was a noticeable increase in reliance on technology by all businesses resulting in the issuance of the guidance. Today, the prevalence of technological reliance and cyber-incidents has increased dramatically and as such, it is my view that it is time for the SEC to review and update their guidance.
The SEC focuses time and financial resources on the use of technology by the SEC itself and market participants. In November 2015, the SEC adopted Regulation Systems Compliance and Integrity, which requires key market participants to have comprehensive written policies and procedures to ensure the security and resilience of their technological systems, to ensure that systems operate in compliance with federal securities laws and to provide for maintenance and testing of such systems. For more information see my blog HERE.
Recap on Disclosure Effectiveness Initiative
The disclosure of cybersecurity risks, attacks or other incidents is ultimately just a disclosure. As I’ve been writing about often recently, disclosure has been and continues to be a topic of examination and regulatory change.
On August 31, 2016, the SEC issued proposed amendments to Item 601 of Regulation S-K to require hyperlinks to exhibits in filings made with the SEC. The proposed amendments would require any company filing registration statements or reports with the SEC to include a hyperlink to all exhibits listed on the exhibit list. In addition, because ASCII cannot support hyperlinks, the proposed amendment would also require that all exhibits be filed in HTML format. See my blog HERE on the Item 601 proposed changes.
On August 25, 2016, the SEC requested public comment on possible changes to the disclosure requirements in Subpart 400 of Regulation S-K. Subpart 400 encompasses disclosures related to management, certain security holders and corporate governance. See my blog on the request for comment HERE.
On July 13, 2016, the SEC issued a proposed rule change on Regulation S-K and Regulation S-X to amend disclosures that are redundant, duplicative, overlapping, outdated or superseded (S-K and S-X Amendments). See my blog on the proposed rule change HERE.
That proposed rule change and request for comments followed the concept release and request for public comment on sweeping changes to certain business and financial disclosure requirements issued on April 15, 2016. See my two-part blog on the S-K Concept Release HERE and HERE.
As part of the same initiative, on June 27, 2016, the SEC issued proposed amendments to the definition of “Small Reporting Company” (see my blog HERE). The SEC also previously issued a release related to disclosure requirements for entities other than the reporting company itself, including subsidiaries, acquired businesses, issuers of guaranteed securities and affiliates. See my blog HERE.
As part of the ongoing Disclosure Effectiveness Initiative, in September 2015 the SEC Advisory Committee on Small and Emerging Companies met and finalized its recommendation to the SEC regarding changes to the disclosure requirements for smaller publicly traded companies. For more information on that topic and for a discussion of the Reporting Requirements in general, see my blog HERE.
In March 2015 the American Bar Association submitted its second comment letter to the SEC making recommendations for changes to Regulation S-K. For more information on that topic, see my blog HERE.
In early December 2015 the FAST Act was passed into law. The FAST Act requires the SEC to adopt or amend rules to: (i) allow issuers to include a summary page to Form 10-K; and (ii) scale or eliminate duplicative, antiquated or unnecessary requirements for emerging-growth companies, accelerated filers, smaller reporting companies and other smaller issuers in Regulation S-K. The current Regulation S-K and S-X Amendments are part of this initiative. In addition, the SEC is required to conduct a study within one year on all Regulation S-K disclosure requirements to determine how best to amend and modernize the rules to reduce costs and burdens while still providing all material information. See my blog HERE.
Securities attorney Laura Anthony and her experienced legal team provides ongoing corporate counsel to small and mid-size private companies, OTC and exchange traded issuers as well as private companies going public on the NASDAQ, NYSE MKT or over-the-counter market, such as the OTCQB and OTCQX. For nearly two decades Legal & Compliance, LLC has served clients providing fast, personalized, cutting-edge legal service. The firm’s reputation and relationships provide invaluable resources to clients including introductions to investment bankers, broker dealers, institutional investors and other strategic alliances. The firm’s focus includes, but is not limited to, compliance with the Securities Act of 1933 offer sale and registration requirements, including private placement transactions under Regulation D and Regulation S and PIPE Transactions as well as registration statements on Forms S-1, S-8 and S-4; compliance with the reporting requirements of the Securities Exchange Act of 1934, including registration on Form 10, reporting on Forms 10-Q, 10-K and 8-K, and 14C Information and 14A Proxy Statements; Regulation A/A+ offerings; all forms of going public transactions; mergers and acquisitions including both reverse mergers and forward mergers, ; applications to and compliance with the corporate governance requirements of securities exchanges including NASDAQ and NYSE MKT; crowdfunding; corporate; and general contract and business transactions. Moreover, Ms. Anthony and her firm represents both target and acquiring companies in reverse mergers and forward mergers, including the preparation of transaction documents such as merger agreements, share exchange agreements, stock purchase agreements, asset purchase agreements and reorganization agreements. Ms. Anthony’s legal team prepares the necessary documentation and assists in completing the requirements of federal and state securities laws and SROs such as FINRA and DTC for 15c2-11 applications, corporate name changes, reverse and forward splits and changes of domicile. Ms. Anthony is also the author of SecuritiesLawBlog.com, the OTC Market’s top source for industry news, and the producer and host of LawCast.com, the securities law network. In addition to many other major metropolitan areas, the firm currently represents clients in New York, Las Vegas, Los Angeles, Miami, Boca Raton, West Palm Beach, Atlanta, Phoenix, Scottsdale, Charlotte, Cincinnati, Cleveland, Washington, D.C., Denver, Tampa, Detroit and Dallas.
Contact Legal & Compliance LLC. Technical inquiries are always encouraged.
Download our mobile app at iTunes.
Legal & Compliance, LLC makes this general information available for educational purposes only. The information is general in nature and does not constitute legal advice. Furthermore, the use of this information, and the sending or receipt of this information, does not create or constitute an attorney-client relationship between us. Therefore, your communication with us via this information in any form will not be considered as privileged or confidential.
This information is not intended to be advertising, and Legal & Compliance, LLC does not desire to represent anyone desiring representation based upon viewing this information in a jurisdiction where this information fails to comply with all laws and ethical rules of that jurisdiction. This information may only be reproduced in its entirety (without modification) for the individual reader’s personal and/or educational use and must include this notice.
© Legal & Compliance, LLC 2016