SEC Trends & Developments - Winter 2012 - SEC Disclosure on Cyber Security
"Six big U.S. banks had their websites jammed, one after another, preventing their customers from logging on to their personal or business accounts, and from paying bills online. The banks affected were Bank of America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo and PNC." -- CNN News
"Hackers orchestrated multiple breaches of Sony's PlayStation Network knocking it offline for 24 days and costing the company an estimated $171 million." -- Forbes
"Citibank says a cyber-attack affected 360,000 accounts. Of those affected, some 217,657 customers were reissued new cards along with a notification letter, while the remaining accounts were either inactive or had already received new cards earlier."-- Reuters
These are just some of the stories that offer a glimpse into the growing record of cyber-attacks. Just how prevalent are cyber-attacks? Consider the following:
- Cyber-attacks on U.S. networks rose 17-fold from 2009 to 2011.
- Many companies, particularly in the area of credit card processing, are losing ground in this battle because they balk at the expense of higher security.
- Businesses are spending $10 billion a year globally to fight cybercrime.
- Companies have been migrating to increased levels of dependence on digital technologies in order to conduct their business operations.
- Many experts advise that companies should be asking "when" they will be the victim of a cybercrime rather that "if."
The negative consequences of these attacks can include, in addition to the damage to the company's reputation, significant remediation costs related to stolen assets or information, repairing systems and potential damage payments to customers impacted by the crime. In addition, companies typically incur more cyber security protection costs after an attack in an effort to protect their brands, train their employees, and defend ensuing litigation.
As a result of these growing risks, and the costs related to them, the Securities and Exchange Commission ("SEC") released disclosure guidance entitled "CF Disclosure Guidance: Topic No. 2: Cybersecurity" (the "Guidance"). This Guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cyber security risks and cyber incidents. While there are no existing disclosure requirements explicitly referring to these risks, the SEC contends that other disclosure requirements may already impose an obligation on registrants.
Registrants are already required to provide extensive disclosures in the risk factors section of their periodic filings. In this Guidance, the SEC stated that registrants should disclose cyber incidents if these issues are among the most significant factors that make an investment in a company speculative or risky. Companies are being asked to evaluate/consider (i) their cyber security risks; (ii) all relevant information, including prior cyber incidents, and their frequency and severity; (iii) the possibility of cyber incidents occurring; and (iv) the potential magnitude of cyber incidents. While these considerations may seem hypothetical, the SEC has asked that registrants avoid using a generic risk factor in favor of entity specific disclosures.
By way of example, in January of this year, hackers broke into Zappos' servers (a subsidiary of Amazon.com) and stole 24 million customer names and e-mail addresses. The SEC asked that Amazon "expand this risk factor to disclose that you have experienced cyber-attacks and breaches." Amazon responded that the attacks were not significant enough to disclose, however the SEC did not agree with this conclusion and Amazon ultimately expanded their disclosures accordingly.
Amazon is not the only company approached by the SEC to provide additional disclosure. During 2012, Google, AIG, Hartford Financial Services Group, Eastman Chemical, and Quest Diagnostics were all asked by the SEC to expand their cyber security risk disclosures; ultimately, all of them complied.
Other disclosure considerations
While the bulk of the Guidance focused on risk factors, the Staff also advocates the inclusion of cyber security disclosures in the following areas of a company's periodic filings:
- Management's Discussion and Analysis ("MD&A") – Registrants should disclose cyber security and cyber incidents in their MD&A if:
- The costs and other consequences of one or more known/potential incidents represent a material event; and
- They represent a trend or uncertainty that is reasonably likely.
- Description of Business – If one, or more, incidents materially affect a product, service, customer relationship or competitive condition, then the matter should be disclosed herein.
- Legal Proceedings – Consistent with all other material pending proceedings, registrants must include those that relate to a cyber incident. This was always true under existing disclosure guidance.
- Financial Statement Disclosures – Potential or actual cyber incidents may have a broad impact on the financial statements, including (i) capitalization of costs incurred to prevent cyber incidents; and (ii) mitigating damages (customer incentives, losses from asserted/unasserted claims, impairments, accounting estimates, and related litigation costs).
- Disclosure Controls and Procedures – Disclose conclusions on whether the exposure to incident or potential incidents demonstrates that the disclosure controls and procedures of the company may be ineffective.
Many registrants have argued that this Guidance exposes companies to additional litigation risks and may even provide hackers with insight into their vulnerabilities. The SEC concedes that a delicate balance exists between providing sufficient disclosure for investors to gain an appreciation of the risks facing the entity without further compromising their security. As we have been seeing with recent disclosures related to climate change, conflict minerals, sustainability, and Dodd-Frank rulemaking, the SEC is clearly showing its preference for registrants to disclose matters that are in the greater interest of the investing public. While this Guidance does not represent an official ruling of the SEC, companies will quickly find out that the SEC is taking the issue of cyber security very seriously, and will require companies through the review and comment process to justify what they have decided to disclose or not disclose in light of this Guidance.
SEC Trends & Developments - Winter 2012 Issue