In February 2018, the Securities and Exchange Commission released its Interpretive Statement and Guidance on Public Company Cybersecurity Disclosures (“Guidance”). This Guidance built upon guidance in 2011 that discussed the need for public companies to provide timely disclosure of significant cybersecurity risks and actual data breaches. The new Guidance, among other things, cautions that an internal investigation cannot be used as an excuse to delay disclosure and that companies may need to update disclosures which were accurate when made but are no longer valid. The new Guidance also discussed the need for companies to maintain comprehensive policies and procedures concerning (1) cybersecurity risks and incidents, and (2) preventing officers and directors from trading in their companies’ securities while in possession of nonpublic knowledge about significant cybersecurity incidents.
More recently, the SEC filed a settled administrative proceeding against the successor to Yahoo! Inc. alleging that Yahoo! had delayed for two years disclosing a massive breach of its user database, which was disclosed only when Yahoo! was selling its operating business to Verizon. In the Matter of Altaba Inc. f/d/b/a Yahoo! Inc., (Administrative Proceeding File No. 3-18448, April 24, 2018). The enforcement proceeding, which resulted in a $35 million penalty, amplified and illustrated the principles articulated in the February 2018 Guidance. In light of the Yahoo! action, attorneys, as well as management and boards, would disregard the Guidance, although lacking the force of an actual rule or regulation, at their peril.
In October 2011, the SEC’s Division of Corporation Finance issued informal guidance that provided the Division’s views. The February 2018 Guidance carries the imprimatur of the full Commission and expands the 2011 statement by addressing policies and procedures intended to mitigate cybersecurity risks and prevent insider trading. The new Guidance also emphasized the need for directors to exercise risk oversight management.
The Guidance begins with an ominous warning: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” The Guidance noted that “Cybersecurity incidents can result from unintentional events or deliberate attacks by insiders or third parties, including cybercriminals, competitors, nation-states, and ‘hacktivists.’” A successful cyberattack could result in additional costs for remediation and increased risk protection; lost revenues; litigation; higher insurance premiums; reputational damage; and reduced competitiveness.
Disclosure of Cybersecurity Issues
The Guidance identified various SEC rules that could require disclosure of cybersecurity risks and incidents:
- General Obligation to Disclose Material Risks and Incidents: The Guidance stated that companies should consider the materiality of cybersecurity risks and incidents in providing the disclosure required in periodic reports, such as Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and registration statements for public offerings of securities. (Foreign private issuers also must provide disclosure in annual reports on Form 20-F and current reports on Form 6-K). These reports require disclosure concerning a company’s business and operations, risk factors, legal proceedings and the Management Discussion and Analysis (MD&A). In addition to information that is expressly required, companies also must disclose “such further material information, as may be necessary to make the required statements, in light of the circumstances under which they were made, not misleading.” Omitted information is material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted fact would have been viewed by a reasonable investor as having significantly altered the total mix of available information.
The Guidance stated that the materiality of cyber risks or incidents depends on the nature, extent and magnitude, including the potential or actual damage to a company’s reputation, financial results and customer and vendor relationships, as well possible litigation or regulatory actions. Companies are not expected to disclose specific technical information about cybersecurity systems or their vulnerabilities in such detail that would make them more susceptible to hackers. Nonetheless, the SEC emphasized that where a company has become aware of a cyber risk or incident that would be material to investors, it would be expected to make timely and appropriate disclosure, particularly in advance of the offer or sale of securities.
The Guidance makes two significant points concerning disclosure. First, while a company is permitted some breathing space in deferring disclosure pending an investigation into a data breach, including the need to cooperate with law enforcement, an ongoing investigation “would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Second, companies may have a duty to correct disclosure that was untrue at the time it was made (for example, if the company discovers contradictory information that existed at the time of the initial disclosure) or a duty to update disclosure that was accurate when made but has become misleading as a result of subsequent events. The SEC noted that there is mixed judicial support for any duty to update. See Backman v. Polaroid Corp., 910 F.2d 10, 16-17 (1st Cir. 1990) (en banc) (supporting duty to update); Higginbotham v. Baxter International, Inc., 495 F.3d 753, 760 (7th Cir. 2007) (rejecting duty to update before next quarterly report); Gallagher v. Abbot Laboratories, 269 F.3d 806, 808-11 (7th Cir. 2001) (securities laws do not require continuous disclosure). Moreover, if there is a duty to update cybersecurity incidents, there should be a duty to update concerning other matters as well. The SEC therefore appears to be suggesting, no matter how obliquely, its belief in a general duty to update.
- Risk Factors: Item 503(c) of Regulation S-K, the regulation that sets forth the information required to be provided in periodic reports, mandates disclosure of the most significant risk factors that make their securities a risky or speculative investment. The Guidance states that companies should consider disclosing past cyber incidents, including their severity and frequency; the probability of an occurrence and potential magnitude of cyber incidents; the aspects of the company’s business that give rise to cyber risks, including industry-specific risks; the cost of preventative measures; the potential for reputational harm; and potential litigation, regulatory and remediation costs. The Guidance emphasized that if a company experienced a material breach involving denial-of-service, it would not be sufficient to merely disclose the risk of such an incident. Further, disclosure of incidents involving suppliers, customers, competitors and others may also be relevant.
- Management Discussion and Analysis: Item 303 of Regulation S-K requires discussion in annual and quarterly reports of a company’s financial condition, changes in financial condition and results of operations. In particular, companies must discuss events, trends, or uncertainties that are reasonably likely to have a material effect on future financial results, liquidity or financial condition; make current financial results not indicative of future results; or are necessary to allow investors to understand the company’s financial performance and condition In this context, companies should disclose the costs associated with cyber issues, such as the loss of intellectual property, insurance, litigation, remediation, and damage to competitive advantage. Companies should also consider the impact of such incidents on each of their reportable segments.
- Description of Business and Legal Proceedings: Item 101 of Regulation S-K requires companies to discuss their products, services, relationships with customers and suppliers, and competitive conditions. Companies should provide appropriate disclosure of any cyber risks that are relevant to these matters. Item 103 of Regulation S-K requires companies to disclose material pending legal proceedings to which they or their subsidiaries are a party. Companies should disclose any proceedings that relate to cybersecurity issues, such as those with customers, including a description of the factual basis of the litigation and the relief sought.
- Financial Statement Disclosure: Cybersecurity incidents and risks should be addressed in the financial statements, including expenses relating to investigation, remediation and litigation; loss of revenue; claims related to warranties, breach of contract, recalls, indemnification and insurance increases; and diminished future cash flows, impairment of intellectual property, intangible or other assets, liabilities and increased financing costs. Thus a company must have sufficient accounting and control systems to ensure that the financial impact of a cyber incident would be reflected in the financial statements.
- Board Risk Oversight: Item 407(h) of Regulation S-K and Item 7 of Schedule 14A, which sets forth the information to be provided in proxy statements, require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, including a description of how the board administers its risk oversight function. A company therefore should disclose a company’s cybersecurity risk management program and how the board engages with management in order to allow investors to assess how the board discharges its risk oversight responsibility.
The Guidance suggests a possible conflict between the SEC and Delaware law, which limits liability for director oversight claims under the so-called Caremark standard. See In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). As that standard is generally interpreted, director oversight liability exists only when directors utterly fail to implement any reporting or information system and controls, or having implemented such systems or controls, fail to monitor or oversee the company’s operations (typically by ignoring repeated “red flags”). Both situations generally require proof that the board knew they were not discharging their fiduciary obligations and were not acting in good faith. See Stone v. Ritter, 911 A.2d 362 (Del. 2006). However, the standard for director liability in private shareholder litigation may be stricter than that imposed by regulators. The Guidance addresses disclosure, not standards of liability. Nonetheless, the Guidance could be viewed as a statement by the SEC that a board’s failure to provide sufficient risk oversight, even a good faith failure, is sufficiently material that it must be disclosed to investors, and that a failure to disclose could result in liability under the securities laws.
Policies and Procedures
- Disclosure Controls and Procedures: The Guidance emphasized that companies “should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel . . . to enable senior management to make disclosure decisions and certifications . . .” SEC Rules 13a-15 and 15d-15 under the Securities Exchange Act require companies to maintain disclosure controls and procedures and for management to evaluate their effectiveness. The Guidance stated that such controls and procedures should ensure timely collection and evaluation of information relevant to an assessment of the need to disclose developments and risks. Companies should consider whether their disclosure controls and procedures will appropriately record, process, summarize and report information related to cyber risks and incidents. The controls include the ability to identify and evaluate risks and incidents, provide for open communication between technical experts and disclosure advisors (which presumably include in-house and outside counsel) and make timely disclosures.
Exchange Act Rules 13a-14 and 15d-14 require a company’s principal executive and financial officers to make certifications regarding the design and effectiveness of disclosure controls and procedures. Item 307 of Regulation S-K requires the disclosure of conclusions concerning the effectiveness of controls and procedures. These certifications and disclosures should consider the adequacy of the company’s ability to identify and respond to cybersecurity risks and events, including any deficiencies in internal controls and procedures.
- Insider trading: Companies should adopt policies and procedures to prevent officers, directors and other insiders from trading in a company’s securities while in possession of material, nonpublic information concerning a significant cybersecurity incident. Further, the Guidance cautioned, companies should consider restricting insider trading while investigating and evaluating significant cyber incidents, if only to prevent the appearance of improper trading. The SEC also warned against selective disclosure of cyber incidents that could violate Regulation FD.
In March, the SEC filed an action against the former chief information officer of a business unit of Equifax alleging that he avoided $117,000 in losses by exercising options and selling stock while in possession of material nonpublic information concerning the massive data breach at Equifax in the summer of 2017. SEC v. Ying, No. 1:18-cv-91069-CAP, filed in the U.S. District Court for the Northern District of Georgia on March 18, 2017. According to the SEC’s complaint, Equifax had the initial indication of a data breach on July 29, 2017 but made no disclosure until September 7. During that period, the SEC alleged, Ying pieced together information from various company sources, concluded that Equifax had suffered a major breach, and sold his stock on August 28. The SEC has not filed any enforcement action against Equifax, but plainly the longer a company delays making public disclosure, the greater the likelihood that information about a material cyber incident will become widespread and result in insider trading. Further, while Equifax imposed a trading blackout on employees who had direct knowledge of the data breach, it failed to impose a blackout on employees who might have access to critical information
Yahoo! Enforcement Action
The Yahoo! action is the first SEC enforcement proceeding concerning a company’s failure to make timely disclosure of a significant cybersecurity breach. The SEC’s allegations read like a checklist of all the actions that a company should take but which Yahoo! did not; indeed, it is very likely that the Guidance was prepared with the Yahoo! matter in mind.
The SEC’s cease-and-desist order alleged that in late 2014, Yahoo!’s internal information security team became aware that the company’s information technology networks and systems had suffered a massive breach by hackers associated with Russia. By December 2014, the information security team determined that the hackers had stolen copies of user database files containing the personal data of at least 108 million users and likely the entire database of billions of users. The stolen files included what Yahoo! referred to as the “crown jewels”: usernames, email addresses, telephone numbers, birth dates, passwords, and security questions and answers. Also, the security team concluded that the hackers had gained access to the email accounts of 26 Yahoo users specifically targeted because of their connection to Russia.
Within days after the security information team reached these conclusions, members of the company’s senior management and legal teams received reports informing them of the theft of the personal data of hundreds of millions of Yahoo! users. Nonetheless, senior management and the legal staff did not properly assess the scope, business impact or legal implications of the breach, including whether public disclosure should be provided. Nor were the outside auditors or outside counsel informed of the breach in order to assess disclosure issues. The SEC alleged that Yahoo! did not maintain disclosure controls and procedures to ensure proper evaluation of the impact of the data breach. Yahoo! notified only the 26 users whose email accounts had been specifically attacked, but not did make any public disclosure of the data breach. Yahoo!’s public filings, including registration statements for sales of common stock under employee stock purchase and option plans, only discussed the risk of a data breach, but did not disclose the actual breach or its potential consequences in either its risk factors or the MD&A. Yahoo! failed to make disclosure even after the information security team determined that the same hackers were targeting Yahoo!’s user databases throughout 2015 and early 2016, and received reports that stolen user credentials were being sold on the dark web. Although the Chief Information Security Officer conveyed these concerns to at least one member of the senior management team negotiating the sale of Yahoo!’s operating business to Verizon, the company affirmatively represented to Verizon that it was unaware of any data breaches.
Not until September 2016 did Yahoo! make disclosure of the massive data breach publicly and to Verizon. The disclosure resulted in a 3 percent drop in Yahoo!’s stock price—a $1.3 billion decline in market capitalization—and a $350 million, or 7.25 percent, reduction in the acquisition price. Yahoo! also amended its prior risk factor and MD&A disclosures, and corrected prior statements that its disclosure controls and procedures were effective. After the sale of its operating business to Verizon, Yahoo! changed its name to Altaba and became a publicly-traded, closed-end management investment company.
The SEC charged Yahoo! with violations of §§17(a)(2) and (a)(3) of the Securities Act of 1933 (which have a negligent standard) in connection with the offer and sale of securities, and the provisions of the Securities Exchange Act requiring the filing of periodic reports and the certification of disclosure controls and procedures. The SEC did not allege fraud nor did it charge any individuals. However, the SEC’s release stated that the $35 million penalty reflected the company’s undertaking to cooperate in the SEC’s continuing investigation, suggesting that further charges may be forthcoming. Also, in March the company entered into an $80 million proposed settlement of a federal securities class action lawsuit, which appears to be the first settlement of a class action arising from a data breach.
The new Guidance and the Yahoo! action provide important lessons for companies and their attorneys:
- While the SEC did not dictate the timing for disclosure of a major cybersecurity incident, it is obvious that two years is not acceptable. While presumably a company is permitted some delay in disclosure in order to investigate and assess a data breach, the existence of internal or external investigations cannot be used as an excuse for failing to make appropriate and timely disclosure.
- A company needs to adopt, maintain and follow sufficient policies and procedures to enable senior management, the board and the lawyers to evaluate the existence of a data breach, its business impact and disclosure obligations. Disclosure must also be made to the outside auditors and counsel. Adherence to such policies and procedures may serve as a defense to accusations that disclosure was not timely.
- Risk factors and Management Discussion and Analysis should disclose the actual risks of a material cybersecurity incident; the company’s policies to prevent such a breach; and a realistic assessment of the real world impact of the breach. The disclosures should be continually updated to reflect evolving cybersecurity risks.
- Companies should be mindful that even disclosures that were accurate when made may need to be updated.
- Repetition of boilerplate disclosures of the risks of a potential cybersecurity incident is not sufficient when an actual incident is known to have occurred. In that event, there must be comprehensive disclosure of the magnitude of the breach, and its actual or possible business, financial and legal impact.
- Similarly, companies and their CEOs and CFOs must take seriously the certification of the effectiveness of disclosure controls and procedures to ensure that cybersecurity issues are sufficiently addressed.
- The board of directors must be involved in administering cybersecurity risk oversight and the company’s disclosures should describe the board’s involvement. There is no requirement that a board have a member who is a cybersecurity expert, such as the requirement that the audit committee has a member with financial expertise, but some companies with significant cyber risks may find it useful to have a director who can provide expert advice.
- Companies need to have adequate policies and procedures to prevent even the appearance of illegal insider trading before public disclosure of a material cybersecurity incident.
Jared Kopel is the owner of The Law Offices of Jared L. Kopel, which is affiliated with Bergeson LLP, with offices in San Jose and San Francisco and specializing in securities, intellectual property, employment and general commercial litigation.