Roberta S. Karmel ()
On Dec. 19, 2013, Target Corporation disclosed that approximately 40 million credit and debit card account numbers had been hacked from its system between Nov. 27 and Dec. 15, 2013. Target later announced on Jan. 10, 2014, that the breach also involved a second group of up to 70 million people.1 According to Target’s 10-K filed on March 14, 2014, more than 80 actions were filed against the company as a result of this breach, and $61 million in pretax data breach-related expenses were recorded in the fourth quarter of 2013. The company had $100 million of network-security insurance coverage, above a $10 million deductible, which could reduce its financial exposure. But in addition to the costs of remediation, the potential problems and interruptions from this breach could disrupt or reduce operational efficiency and adversely affect customer confidence.
In addition to the publicity over the Target cyber breach and the subsequent lawsuits against the company, the Securities and Exchange Commission (SEC) had already been under some pressure from Congress to act with regard to cybersecurity. In October 2011, the Division of Corporation Finance issued disclosure guidance on cybersecurity for public companies, but last April, Senator Jay Rockefeller requested the SEC to elevate its guidance on cybersecurity disclosures.2 The flash crash of May 6, 2010, and subsequent serious glitches in the trading markets also heightened the sensitivity of the SEC and others to cybersecurity dangers to securities infrastructure institutions. In the aftermath of these disclosures and some other high-profile cybersecurity breaches, the SEC held a Cybersecurity Roundtable on March 26, 2014.
The Roundtable consisted of four panels: Panel 1 was a discussion of the Cybersecurity Landscape; Panel 2 was a discussion of Public Company Disclosure; Panel 3 was a discussion of Market Systems; and Panel 4 was a discussion of Broker-Dealers, Investment Advisers, and Transfer Agents. I participated in the panel on Public Company Disclosure.
Awareness of Risks
SEC Chair Mary Jo White introduced the Roundtable as an effort “to better inform ourselves, the marketplace, our fellow agencies, and the private sector as to what the risks are and how best to combat them.”3 Additionally, the Roundtable aimed to gauge whether the current SEC guidance on cybersecurity disclosure is helpful to market participants.4
The first panel concentrated on the cybersecurity landscape and painted a bleak picture, describing the innumerable threats faced by both the public and private sectors. The discussion, guided by representatives from the Department of Homeland Security, Department of Treasury, and the White House, among others, focused on the National Institute of Standards and Technology’s recently issued Framework for Improving Critical Infrastructure Cybersecurity.5
The framework is the result of a 2013 executive order aimed at developing and implementing risk-based standards through public and private sector collaboration.6 Among the 16 industries considered critical to U.S. infrastructure, foremost is the financial industry. The panel noted that while the financial industry is currently the primary target of cybersecurity attacks, it is also the most prepared and equipped to manage these threats.
According to the panel, the approach to cybersecurity is in its formative stages and at this time there is no easy solution for a company to prevent all cybersecurity threats. Companies facing cybersecurity issues should not consider these issues merely an IT problem that simply requires an upgrade, but instead should consider cybersecurity a constant operational risk. Further, merely securing company data is insufficient protection as there are multiple varieties of cybersecurity threats, and companies should instead aim to manage cybersecurity risks and mitigate the damage from breaches.
As noted by Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury, this is a whole government issue and not one just for the SEC. The panel noted that in order to combat information asymmetry, these critical infrastructure companies should designate a person within their organization to coordinate with the government to key the organization in on timely threat intelligence. From a national security standpoint, opening a corporation’s network protocols and systems to an agency, such as the Department of Homeland Security, would allow for increased flow of information on cybersecurity threats, but the ramifications of such openness are unclear in both the civil liberties and regulatory context as there is limited statutory guidance.
The second panel of the Cybersecurity Roundtable was organized by the Division of Corporation Finance and was directed at the issue of disclosure of cybersecurity risks and breaches at public companies. In 2011, the Division of Corporation Finance issued disclosure guidance on cybersecurity with an emphasis on risk factor disclosures consistent with Item 503(c) of Regulation S-K. This guidance instructed companies, to the extent material to make appropriate disclosures of: (1) “aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences”; (2) outsourced functions with material cybersecurity risks; (3) “description of cyber incidents…that are individually, or in the aggregate, material”; (4) “risks related to cyber incidents that may remain undetected for an extended period”; and (5) “description of relevant insurance coverage.”7
This guidance also discusses the possible need to include information about cybersecurity risks and incidents in the MD&A, description of business, legal proceedings and financial statements. Different lenses need to be used before and after a cyber incident. Although the guidance cautions against boilerplate disclosure, it instructs that “the federal security laws do not require disclosure that itself would compromise a registrant’s cybersecurity.”8 The division has issued over 50 comments to companies with regard to their cybersecurity disclosure, generally trying to elicit whether the disclosures should explain any balance sheet consequences of the costs of security.
The Corporation Finance panel was addressed to the question of whether, in light of the Target and other high-profile recent cyber breaches, this guidance was sufficient, or more disclosure about cyber risks and breaches should be required, even if not material, and whether such disclosure should be a line item disclosure, or otherwise be more highlighted by the SEC. The SEC has rarely required disclosures by public companies which are not material to investors, and in my opinion, despite the importance of cybersecurity, the commission should not do so now.
Many years ago, the SEC mandated disclosure of environmental citations, even if not material, but this was required by statute, and was controversial, and the commission ultimately backtracked on these disclosures.9 Many commentators have argued that the conflict minerals disclosures by public companies mandated by the Dodd-Frank Act are not material to investors, and these disclosures are being challenged in the U.S. Court of Appeals for the D.C. Circuit.10 When the securities laws are utilized to promote industrial policies, the investor protection purpose of the laws is subverted.
There are a variety of places in the Form 10-K Annual Report by public companies where cybersecurity disclosures could be placed. These include: risk factor disclosure, the MD&A, description of business, legal proceedings and financial statements. In preparation for appearing on the Corporate Finance panel, I perused some 10-K disclosures by public companies. Generally, cybersecurity issues were analyzed in the risk factors section of the 10-K, rather than the MD&A or elsewhere, unless, as in the case of Target, the company had suffered a serious breach, which led to material liabilities.
Although the disclosures were fairly general, there was some difference between companies in different industries. For example, defense contractors, health care companies, news companies, utilities and financial institutions all had serious cybersecurity concerns, but for somewhat different reasons. While the theft of customer credit information is perhaps front and center in the minds of the public and Congress, other serious cyber threats involve the theft of intellectual property, service interruptions, and national security information.
Companies stated, in response to the division’s 2011 guidance, that they had insurance to cover cybersecurity risks, but then generally added that the insurance might not be sufficient, depending upon the breach that might occur. The problem with all this disclosure is that every large multinational company knows it will be the target of a cyber attack, but it cannot predict when or how a truly disabling attack will occur or the financial consequences of such a breach.
Systems and Governance
Panelists on both the first and second panels spoke about corporate governance. Although the boards of directors of public companies need to be informed about cybersecurity and breaches, there is a question of which committees of the board should be responsible in the first instance. Some panelists thought it should be the audit committee, some suggested the risk management committee, and some thought if appropriate a new cybersecurity committee or subcommittee could be formed. If the SEC wished to heighten awareness in this space, it could mandate disclosure about which committees of the board have such jurisdiction. Some industries do have protocols for cybersecurity protections, and whether a company adheres to such protocols could be disclosed, but this will become boilerplate.
The afternoon panels focused on securities infrastructure institutions, such as stock exchanges, and broker-dealers, investment advisers and transfer agents. With regard to such SEC-registered entities, the SEC would seem to have much more authority and responsibility than in the case of public companies to be assured that entities have adequate cybersecurity systems. The SEC has examination powers with regard to these entities and cybersecurity is an examination priority for 2014. FINRA also is surveying its members with regard to cybersecurity risks.11 Most of the panelists on the security infrastructure panel expressed the hope that the SEC would assist them in improving their systems rather than resorting to enforcement cases against them for inadequate systems.
In the case of broker-dealers and investment advisers, it was pointed out that small entities have different problems in developing systems than large entities. Threats can come from different sources—operational defects; employee sabotage or negligence; and third party hackers. Further, some of these third parties appear to be foreign state-sponsored operatives.
Whether new laws addressed to cybersecurity threats are needed is unclear. In 1999, the Gramm-Leach-Bliley Act imposed a duty to safeguard customer privacy on financial institutions and required financial institutions to safeguard such information.12 Rulemaking authority was delegated to the federal banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the SEC and the Federal Trade Commission.13 The FTC, in particular, was given the task of enforcing these privacy rules.14
The Sarbanes-Oxley Act of 2002 then required management to have controls in place for proper financial reporting, including audit procedures.15 According to an SEC report, information security needs to be addressed in two ways: (1) by requiring the establishment of information security processes and audit procedures to protect corporate information; and (2) through accurately reflecting the diminished value of intangible assets because of a security failure or breach, which would include breaches involving private information.16
Yet, consumer or customer protection is not the only or perhaps even the most important issue with regard to the cybersecurity systems of public companies. Cyber attacks have become a weapon of war between competing nations and therefore are of concern to the general public. Should the SEC become responsible for examining the adequacy of the cybersecurity of public companies or requiring more disclosure by them about their systems? While, the SEC perhaps has the expertise and legal authority to do so with regard to securities infrastructure institutions, broker-dealers and investment advisers, it is unlikely that it can be especially helpful to non-financial public companies, or that requiring more disclosure from them will be useful to investors.
Roberta S. Karmel is Centennial Professor of Law and co-director of the Dennis J. Block Center for the Study of International Business Law at Brooklyn Law School. She is a former commissioner of the Securities and Exchange Commission. Brooklyn Law student Kevin Cooper assisted in the preparation of this column.
1. Complaint at ¶¶1, 8, Dorobiala v. Target Corporation, CV 14-00294 (C. D. Cal. Jan. 13, 2014).
2. Eric Chabrow, Rockefeller to SEC: Elevate Cybersecurity Guidance, Bank Info Security (April 1, 2014), http://www.bankinfosecurity.com/rockefellwer-to-sec-elevate-cybersecurity-guidance-a-5679.
3. SEC Chair Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity (March 26, 2014).
4. CF Disclosure Guidance: Topic No. 2—Cybersecurity, SEC Division of Corporate Finance (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
5. Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology (Feb. 12, 2014).
6. Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 12, 2013).
7. CF Disclosure Guidance: Topic No. 2 at 2.
8. Id. at 3.
9. See Securities Exchange Act Release No. 17762, 46 Fed. Reg. 25638 (May 8, 1981).
10. See National Association of Manufacturers v. Securities and Exchange Commission, No. 12-1422 (D.C. Cir.).
11. Yin Wilczek, FINRA Sends Sweep Letters Asking Firms About Approach to Cybersecurity Threats, 46 Sec. Reg. & L. Rpt 295 (BNA), Feb. 17, 2014.
12. 15 U.S.C. §6701 (1999).
13. Id. at 6804.
14. Id. at 6805.
15. Sarbanes-Oxley Act of 2002, Pub. L. No. 107-2014, 116 Stat. 745 (2002).
16. See SEC, Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Release Nos. 33-8810, 34-55929 (June 20, 2007).