Your Company Got Hacked, Must You Disclose to the SEC?
By IT-Lex Intern Eric Everson (Twitter)
A recent CNBC piece pointed to a very simple question: If you are a publicly traded company, do you have an obligation to disclose in your SEC filings that you have been hacked?
As Eamon Javers reports:
“Only a limited number of companies disclosed cyberattacks occurring in 2012, CNBC found after a review of 2012 SEC filings. That’s even though the SEC specifically asked companies to reveal significantly damaging attacks in guidance the commission issued to companies in the fall of 2011.”
Why don’t businesses want to disclose? Let’s start by acknowledging that the current SEC guidelines only require disclosure if the information related to a cyberincident (or risk of one) is material to investors. Anyone who is versed in securities regulation knows that the word “material” provides a lot of wiggle room for businesses. Are we talking about data loss, loss of equipment, downtime, financial losses, or something else caused by a cyberattack? If so, what is “material” about such instances if the company responds accordingly to the attack and continues business as usual? Cyberattacks literally happen every day. Why risk the negative press exposure when the company has all of the procedural and operational safeguards in place to respond to cyberthreats?
Many businesses are increasingly considering cyberattacks par for the course; remember the big Citigroup hack that resulted in $4.4 million in unauthorized charges? Citigroup explained that the damage from the attack was not very significant and the costs to fix the problem were less than $1 million. Par for the course; they did not deem the incident to warrant disclosure in their 2Q11 Form 10-Q. Despite statements regarding their intention of not providing disclosure on this particular cyberattack in future filings, the company eventually resigned to disclosure in filings regarding “the general risk that cyberattacks present to its future business” and in a 4Q11 10-K they disclosed that they had been the target of cyberattacks in the past. This incident was one of the biggest cybersecurity breaches of its time and but for extensive media coverage may have never been disclosed to the SEC.
What is the risk of nondisclosure? The SEC is not going to shut a company down or blacklist them as “bad boys” because they failed to disclose getting hacked. This does not however prevent the SEC or investors from bringing suits for material misrepresentation. Shareholder securities class action lawsuits are a serious risk that executives must consider; the cost of legal fees and settlements in such cases can far exceed the costs of disclosure. Additionally, in October 2011, the Securities and Exchange Commission issued guidance to publicly traded companies describing their obligations to disclose material cyber incidents.
What can businesses do to limit their cyberrisk? As one who holds an MBA, let me say this bluntly… If you are an executive at a publicly traded company and you do not have a dedicated CIO (Chief Information Officer) or CTO (Chief Technical Officer), make it happen now. Your CIO/CTO, while responding to the technical demands of the business today should also be focused on future innovative security and operations solutions. Your CIO/CTO should take an active role on shareholder calls fielding questions about cyberrisks, -threats, and -incidents. Demand a cyberrisk management strategy from your CIO that outlines the strengths, weaknesses, opportunities and threats your company faces and put the financial means behind making tomorrows systems more secure. If you don’t already have one in place, have your CIO/CTO implement a breach indication system and a corresponding cyber response procedure. No publicly traded company can afford not to have a CIO/CTO in today’s digital environment of business.
Why is it important to disclose? In addition to keeping the SEC and your shareholders happy, disclosing cyber incidents prevents future incidents. If a business discloses a cyberrisk or a cyber incident, this means that it has acknowledged the risk and hopefully has put safeguards in place to limit future exposure. Disclosure (by media and by SEC filings) creates opportunities to broadly improve the digital security environment.
The SEC is clear, you have an obligation to disclose “material” cyber incidents; but the question is: is the “material” wiggle room worth the financial risk to your company?