By Katie W. Johnson
March 13 –Although the Securities and Exchange Commission doesn’t require companies to disclose cybersecurity risks and incidents, companies should establish a disclosure framework in light of the SEC’s cybersecurity guidance, attorneys said March 7 at the International Association of Privacy Professionals Global Privacy Summit.
General counsels have identified cybersecurity as their number one issue three years in a row in one survey, Mary Ellen Callahan, chair of the Privacy and Information Governance Practice at Jenner Block LLP and former chief privacy officer at the Department of Homeland Security, said.
The Securities and Exchange Commission began to review public company disclosures on cybersecurity only two years ago, Elaine Wolff, partner at Jenner Block and moderator of the session on the SEC and cybersecurity, said. In October 2011, the SEC’s Division of Corporation Finance released cybersecurity risk and incident disclosure guidance.
The SEC plans to review its cybersecurity policies this year, starting with asset managers, Wolff said. The SEC’s renewed interest stems not only from specific breaches, but also from pressure from Sen. Jay Rockefeller (D.-W.Va.), she said.
In April 2013, Rockfeller sent a letter to SEC Chairman Mary Jo White urging her to issue formal guidance on disclosure of cybersecurity risks . White responded the following month, explaining that her staff was reviewing public companies’ disclosure of cybersecurity risks with an eye to whether additional guidance is needed .
Wolff also noted that the SEC plans to hold a March 26 round table on cybersecurity issues .
The SEC is developing a data breach preparedness test for companies and others registered with the commission (see related report).
Materiality Threshold
The SEC’s cybersecurity guidance is informal guidance, Wolff said. The important thing to know about the guidance is that “there is no existing rule, requirement or regulation that actually references cybersecurity,” she said.
Materiality is the first question a company should ask when making a cybersecurity disclosure, Wolff said. But “it’s been my observation that many security breaches don’t come near the materiality threshold,” Nicole Maddrey, vice president, deputy general counsel and assistant secretary at Graham Holdings, said.
Callahan asked the panel whether a company should use boilerplate language to disclose the potential of breaches. “Once everyone includes a risk factor, how meaningful is a risk factor?” Tangela Richter, general counsel, direct bank and brokerage at Capital One, said. At the same time, Maddrey said, a company doesn’t want to print a “roadmap” of its vulnerabilities.
Callahan also emphasized the importance of involving a company’s board and audit committee in addressing cybersecurity risks. For example, cybersecurity education should be mandatory for directors, board members should understand a company’s “risk profile” and a company should have a board-level reporting system, according to the speakers’ presentation.
A separate panel session at the summit focused on how privacy professionals can better educate chief executive officers on cybersecurity risks (see related report).
Guidance Best Practices
Companies should avoid a discussion of “generic risk factors” in the “Risk Factors” section of their disclosures, Richter said.
Areas to address as risk factors include the probability of cybersecurity incidents, the quantitative and qualitative magnitude of cybersecurity risks, the potential costs and consequences of any incidents, preventive actions taken to reduce risks and any threats or attacks of which the company is aware, she said.
The risk factors section is where a company discloses material breaches that have occurred and how it has dealt with them, according to the speakers’ presentation. A company should include a separate heading for cybersecurity risks, according to the presentation.
The “Management’s Discussion and Analysis of Financial Condition and Results of Operations (MDA)” section is the “meat” of a company’s financial disclosure, Wolff and Maddrey said.
If a company has experienced a cybersecurity incident, the MDA section is where the company discusses costs related to the incident, Maddrey said. Those costs include insurance coverage, ongoing costs, the company’s overall financial condition and future financial results, she said.
In the Description of Business section, a company should discuss whether a cybersecurity incident impaired a product’s future viability, Wolff said.
Form 8-K Best Practices
Callahan asked the panel why Target Corp. didn’t immediately file a Form 8-K after it announced a data breach in December 2013.
Form 8-K filings are required when publicly traded companies face “unscheduled material events or corporate changes,” according to the SEC.
In December 2013, Target announced a hacking breach of payment card information for approximately 40 million customers and later revealed that contact information for 70 million customers had also been compromised .
On Feb. 26, the company filed a Form 8-K in which it discussed the breach (13 PVLR 434, 3/10/14).
A Form 8-K is what a company files to put investors on notice that an event occurred, Maddrey explained. A data breach isn’t one of the listed events that trigger such a notice, she said.
The SEC guidance referenced the list of required disclosures under its Regulation S-K, saying that cybersecurity issues could be considered in each of the disclosure areas.
Form 8-K triggers haven’t been changed since 2004 and aren’t likely to change, Wolff said. However, the SEC is reviewing Regulation S-K, and “I could see the SEC say you need to discuss cybersecurity,” she said.
Until that trigger is changed, there will likely be more disclosures like Target’s Form 8-K, Maddrey said.
By Katie W. Johnson
To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com
To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com