Responding to a request from members of the Senate, the SEC has published official guidance regarding the obligation of publicly traded companies to address issues of economic consequences to cyber-attacks. The guidance, which does not have the binding authority of law or regulation, will still shape the decisions regarding the disclosure of public companies.
The obligation to report likely exists in the more general obligations of disclosing material risks for public companies, a point the guidance emphasizes.
“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”
For purposes of the disclosure, cybersecurity has been defined as “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” The definition cites Whatis?com available at http://whatis.techtarget.com/definition/cybersecurity.html.
The guidance illustrates the types of issues that can rise to material importance for the public.
Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting customer or investor confidence.
The need for guidance was triggered by a letter to the SEC Commission Chairperson, Mary Schapiro, on May 11, 2011 by five members of the Senate. The letter demanded better disclosure.
“In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk. … Beyond our concerns about material information security risk, we believe that once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligations to disclose information on potentially compromised intellectual property or trade secrets.”
The new guidance is simply a reminder that the threats and the ramifications of network breach and theft of intellectual property have material implications on the value of publicly traded companies and as such, these issues must be addressed in the ongoing public disclosure of affected companies.