Given the cybersecurity risks and threats companies face and the recent spate of well publicized cyberattacks, it is no surprise that the U.S. Securities and Exchange Commission (the “SEC”) requires issuers to disclose cybersecurity risks and incidents applicable to them in the risk factor disclosure in connection with securities offerings and in other disclosure filings.
This advisory summarizes the SEC’s guidance on disclosing cybersecurity risks and incidents.
As detailed below, issuers should make sure their disclosures are accurate, tailored to the specific threat and continuously updated whenever any event materializes, even if the incident is not a cyberattack but merely a discovery of a vulnerability. Issuers must maintain efficient disclosure controls to ensure this process.
Background to Risk Factors (In General)
The description of risk factors affecting a securities offering and its issuer has long been required in registration statements under the Securities Act of 1933 (the “Securities Act”.) Disclosure was not required in periodic filings until the SEC adopted a securities offering reform package of rules in July 2005 that significantly advanced the registration, communications, and offering processes under the Securities Act and the Securities Exchange Act of 1934 (the “Exchange Act”.) These rules also furthered the SEC’s long-term efforts toward integrating disclosure and processes under the Securities Act and the Exchange Act.
Despite the absence of an obligation to do so, many companies already included such disclosure and discussion voluntarily prior to the adoption of the new rules, as a precaution, because of a series of court cases that enunciated the “bespeaks caution” doctrine, which protected statements of future forecasts, projections and expectations in an offering or other disclosure document from being found misleading if they contained adequate cautionary language disclosing specific risks affecting the outcome of those forward-looking statements. As part of its Securities Offering Reform, the SEC also adopted Rule 168 to create a safe harbor for the regular release of forward-looking information despite ongoing or proposed registered offerings.
Beginning in December 2005, issuers have been required to include disclosure and discussion of risk factors in their annual reports in a similar fashion to what was already required in registration statements. Although in the adopting release the SEC discouraged companies from unnecessarily restating or repeating the issuer’s risk factors in every quarterly report on Form 10-Q , it did mandate quarterly filers to evaluate their previous disclosure regarding risk factors and to include in each quarterly report additional disclosures needed to reflect material changes from previous disclosures.
The SEC Weighs in on Cybersecurity Risk Factors in Particular
In October 2011, the Division of Corporation Finance issued guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents, including guidance on discussing cybersecurity in risk factors (the “2011 Guidance”.)
To the extent that the cybersecurity risks are significant and make an investment in the issuer speculative or risky, the 2011 Guidance required disclosure of the risk of cyber incidents affecting the issuer. It recommended that issuers assess their cybersecurity risks considering all relevant information, including prior incidents, the severity and frequency of those incidents from quantitative and qualitative perspectives, and the costs and consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. Issuers were also encouraged to consider the adequacy of preventative actions taken to reduce cybersecurity risks from the perspective of the industry in which the issuer operated, including threatened attacks of which the issuer was cognizant. Issuers were instructed to include “material risks” and describe how specific risks might affect them as contextually as possible, avoiding generic risks and effects.
2018 Updated Guidance
In February 2018, the SEC issued Release No. 33-10459 —“Commission Statement & Guidance on Public Company Cybersecurity Disclosures” (the “2018 Guidance”) which was intended to help issuers prepare risk factor and other periodic disclosure about cybersecurity risks and incidents. It also addressed the importance of appropriate disclosure controls and procedures and insider trading policies when dealing with cybersecurity incidents and risks.
Similar to the 2011 Guidance, the updated 2018 Guidance encouraged issuers to avoid providing generic cybersecurity-related disclosures.
Issuers were advised to consider the following:
- the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations relating to cybersecurity that may affect the requirements to which the issuer’s businesses are subject or the associated costs of compliance; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
2021 Regulatory Agenda and Proposed Rule
On June 11, 2021, the SEC announced that it would focus on cybersecurity disclosures made by public companies as part of its regulatory agenda. The SEC is expected to issue a rule proposal on cybersecurity risk disclosures during the fourth quarter of 2021, as early as October 21 if it meets its deadline.
The SEC also provides cybersecurity guidance to broker-dealers, investment advisers, investment companies, exchanges, and other market participants in order to protect their customers from cyber threats. For these SEC-regulated industries, the SEC staff has focused on specific risks. For example, the Office of Compliance Inspections and Examinations (now the Division of Examinations) issued Cybersecurity and Resiliency Observations in January 2020, followed by a Ransomware Alert in July 2020. These alerts noted that failures could affect registrants or their service providers and that proper incident response includes “appropriate disclosure of material information regarding incidents.”
From Guidance to Enforcement
For years, the SEC warned that it would eventually enforce some of the guidelines regarding risk factors. A number of proceedings demonstrate the SEC’s approach.
- The Facebook settlement:
The first incident that garnered serious public attention was Facebook’s settlement with the SEC in July 2019. Facebook agreed to pay $100 million for alleged misstatements in its SEC filings disclosure, which described the misuse of user data as a hypothetical occurrence, when the SEC alleged that such misuse had already occurred.
According to the SEC’s complaint, in 2014 and 2015, the now-defunct advertising and data analytics company, Cambridge Analytica, paid an academic researcher, through a company he controlled, to collect and transfer data from Facebook improperly. The SEC’s complaint alleged that Facebook discovered the misuse of its users’ information in 2015, but did not correct its existing disclosure for more than two years. Instead, Facebook continued to tell investors that the potential for misuse of user data is merely a hypothetical investment risk.
Facebook’s quarterly and annual Form 10-Q and Form 10-K filings cautioned that:
“Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or our user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position”; and
“If developers fail to adopt or adhere to adequate data security practices . . . our data or our users’ data may be improperly accessed, used, or disclosed”.
According to the SEC complaint, Facebook reinforced this false impression when it told news reporters who were investigating Cambridge Analytica’s use of Facebook user data that it had discovered no evidence of wrongdoing. When Facebook finally did disclose the incident in March 2018, its stock price dropped.
- The Pearson settlement:
On August 16, 2021, the SEC announced a settlement with Pearson plc, a London-based company that primarily provides educational publishing services to schools and universities, for making a misleading risk factor disclosure about data breaches. Pearson collected large volumes of student data and administrator log-in credentials, and learned in March 2019 that “millions of rows of student data and usernames and hashed passwords” had been stolen by a sophisticated threat actor. Pearson mailed a breach notice to customers in July 2019 but did not disclose the breach in its SEC filings. Instead, its next SEC filing included a statement that a data privacy incident was a risk that “could result” in a major breach.
The SEC alleged that the SEC filing (and a subsequent media statement as well) were misleading because they characterized a known harm as a hypothetical risk.
Pearson also claimed that it had “strict protections” in place when in reality, it took Pearson six months to patch the vulnerability. While Pearson did not admit wrongdoing as part of the settlement, Pearson agreed to pay a $1 million penalty.
- The Alphabet litigation:
In re Alphabet Securities Litigation is a Rule10b-5 action brought by the State of Rhode Island, as lead plaintiff against Google LLC, its holding company Alphabet, Inc., and certain executives, alleging that the defendants failed to timely disclose certain cybersecurity defects and vulnerabilities.
According to the complaint, amid the furor caused by news that Cambridge Analytica improperly harvested user data from Facebook’s social network, Google discovered that a security glitch in its Google+ social network had left the private data of some hundreds of thousands of users exposed to third-party developers for three years and that Google+ was plagued by multiple other security vulnerabilities. Warned by its legal and policy staff that disclosure of these issues would result in immediate regulatory and governmental scrutiny, Google and Alphabet chose to conceal this discovery, made generic statements about how cybersecurity risks could affect their business, and stated that there had been no material changes to Alphabet’s risk factors since 2017.
Alphabet moved to dismiss for failure to state a claim. The district court granted the motion, finding that Rhode Island had failed to allege a material misrepresentation or omission and also failed to sufficiently allege scienter.
However, in June 2021, the 9th Circuit Court of Appeals reversed in part and held that the complaint contained a plausible allegation that Alphabet’s omission was materially misleading as its risk factor discussion of cybersecurity was framed in the hypothetical, while the “hypothetical” events had in fact already come to fruition.
- The First American settlement:
It is important for reporting issuers to ensure that they have the proper internal disclosure controls to definitively determine whether a cyber risk is hypothetical or not. In June 2021, the SEC announced settled charges against title insurer First American Financial Corporation in connection with the issuer’s June 2019 disclosures regarding a cybersecurity vulnerability. While First American claimed publicly that it had taken “immediate action” to address the vulnerability, the SEC found that First American’s information security personnel had been aware of the vulnerability for months before they informed the senior executives responsible for First American’s public disclosures. First American agreed to an order charging it with failing to maintain adequate cybersecurity disclosure controls and requiring it to pay a $487,616 penalty.
- Regulated entities:
The SEC has also settled actions against investment advisers and broker-dealers for failure to maintain adequate cybersecurity policies and procedures. Such issuers might consider supplementing their risk disclosure regarding potential regulatory concerns to include reference to cybersecurity concerns.
Case Law Summary
The principal conclusion that can be gleaned from these cases is that once a disclosed cyber or privacy risk materializes into an actual event, the issuer should consider updating its disclosures. It can be very problematic to describe cybersecurity and data privacy as hypothetical risks in SEC filings or to the media if an issuer already has experienced an incident.
Reportable events are not limited to breaches. An exposed vulnerability alone can trigger the requirement for disclosure even if there is no evidence that third parties actually accessed any information.
Issuers should establish policies and procedures to ensure information about cybersecurity risks and incidents is communicated to the appropriate disclosure personnel.
SEC Comment Letters
Together with enforcement actions, with increased scrutiny year after year, we have seen the SEC staff comment on issuers’ risk factors. Examples:
- The SEC staff may ask to avoid a generic cybersecurity risk factor and focus on specific risks relevant to the issuer’s business and industry.
- If the issuer makes a statement that it had previously been the target of cyber-attacks, the SEC staff may ask whether any such attacks resulted in breaches that were material to its business.
- To the extent cybersecurity risks are material to the issuer’s business, the SEC staff may ask to disclose the Board’s role in overseeing the cybersecurity risk management, the manner in which the Board (and sometimes the Audit Committee) administers this oversight function and any effect this has on the Board’s leadership structure.
- If the issuer engages in certain activities, e.g., investing in cryptocurrency, the SEC staff may ask the issuer to revise its risk disclosure to include the cybersecurity risks associated with that activity.
- If an issuer mentions a specific incident, we have seen the SEC staff probe about the nature of the incident. In particular, the SEC staff may want to know: the systems breached; how they were breached; the actions the issuer took to cure the breach; the impact on revenue related to the breach in each of the relevant quarters of the fiscal year; the costs incurred during each quarter of the fiscal year to cure the breach; and the actions and costs incurred to prevent similar breaches in the future. We recommend that issuer’s disclosure personnel be prepared with the relevant information at the time the issuer reports a data breach or weakness requiring mitigation.
Cybersecurity risk factors require unique and careful attention because of the increased SEC scrutiny, the investment value at stake, the privacy concerns and because of the potential liability for both the issuers and the directors if they are not properly and timely disclosed.
Issuers should ensure that they not only provide accurate disclosures in the first instance but that they continue to update the disclosures on a regular basis, especially if and when a vulnerability is discovered.
* * *
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2021 Carter Ledyard & Milburn LLP.