With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.
Since the SEC first issued its guidance on cybersecurity in October 2011, it has heightened its review of cybersecurity disclosures by public companies. The SEC’s 2011 guidance highlights public company disclosure obligations relating to cybersecurity risks and cyber incidents under the federal securities laws. Although no existing federal securities laws explicitly refer to disclosure of cybersecurity risks and cyber incidents, the guidance points out that there are a number of disclosure requirements that may impose an obligation on public companies to disclose these risks and incidents when necessary in order to make the other required disclosures not misleading. Such disclosures may include remediation costs, cybersecurity protection costs, lost revenues, litigation and reputational damage.
The SEC emphasized in its guidance that it was mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts by providing a “roadmap” for hackers. Nevertheless, many of the SEC’s comments focus on boilerplate risk factor disclosure and seek disclosure of a company’s specific experience with cyber-attacks, attempts to breach the security of networks and similar incidents. The information is meant to inform investors of the extent to which the risk is likely to impact current or future results of operations.
In addition, recent SEC comments underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition. What’s more, these comments seek to elicit disclosure that addresses whether a business that was subject to past breaches may have suffered reputational damage affecting customer or investor confidence.
With that said, the Target breach highlights some of the limitations in the SEC guidance. Target first disclosed the cyber intrusion in mid-December, and only last week, in response to a letter from Sen. John D. Rockefeller IV (D-WV) asking why the company had not yet reported the massive data breach to the SEC, did Target announce that it would wait to make the public disclosures required by the SEC guidance until its annual report in March.
The severity of the breach, and its financial impact, will likely make the Target SEC disclosure one to watch.
During a hearing before the Senate Energy and Commerce Committee in January, Rockefeller was among the senators asking Target about its remediation plans and disclosure obligations. Last year, Rockefeller asked SEC Chairman Mary Jo White to review whether the SEC 2011 guidance needs to be enhanced; that inquiry may be renewed in the near future in light of the widespread cyber intrusions announced in December and January.
With regard to the current SEC guidance, it is important to remember that the SEC keeps an eye on press reports, and will often cite such reports in its comments. These are not just the big headline-grabbing reports but also more subtle spotlights such as reports that hotels and resorts are increasingly becoming the targets of cyber-attacks.