SEC and Cybersecurity—What Publicly-Traded Companies Need to Know
Note from the Editor:
Mary Ellen Callahan, CIPP/US, and Elaine Wolff, both of Jenner & Block, will be part of the breakout session "The SEC and Cybersecurity: What Every Publicly Traded Company Must Know" at the IAPP Global Privacy Summit in Washington, DC, on March 7 at 8:30 am. They will be joined by Nicole Maddrey, Vice President, Deputy General Counsel & Assistant Secretary, at Graham Holdings and Tangela Richter, Functional General Counsel—Direct Bank and Brokerage, Capital One.
With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.
Since the SEC first issued its guidance on cybersecurity in October 2011, it has heightened its review of cybersecurity disclosures by public companies. The SEC’s 2011 guidance highlights public company disclosure obligations relating to cybersecurity risks and cyber incidents under the federal securities laws. Although no existing federal securities laws explicitly refer to disclosure of cybersecurity risks and cyber incidents, the guidance points out that there are a number of disclosure requirements that may impose an obligation on public companies to disclose these risks and incidents when necessary in order to make the other required disclosures not misleading. Such disclosures may include remediation costs, cybersecurity protection costs, lost revenues, litigation and reputational damage.
The SEC emphasized in its guidance that it was mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts by providing a “roadmap” for hackers. Nevertheless, many of the SEC’s comments focus on boilerplate risk factor disclosure and seek disclosure of a company’s specific experience with cyber-attacks, attempts to breach the security of networks and similar incidents. The information is meant to inform investors of the extent to which the risk is likely to impact current or future results of operations.
In addition, recent SEC comments underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition. What’s more, these comments seek to elicit disclosure that addresses whether a business that was subject to past breaches may have suffered reputational damage affecting customer or investor confidence.
With that said, the Target breach highlights some of the limitations in the SEC guidance. Target first disclosed the cyber intrusion in mid-December, and only last week, in response to a letter from Sen. John D. Rockefeller IV (D-WV) asking why the company had not yet reported the massive data breach to the SEC, did Target announce that it would wait to make the public disclosures required by the SEC guidance until its annual report in March.
The severity of the breach, and its financial impact, will likely make the Target SEC disclosure one to watch.
During a hearing before the Senate Energy and Commerce Committee in January, Rockefeller was among the senators asking Target about its remediation plans and disclosure obligations. Last year, Rockefeller asked SEC Chairman Mary Jo White to review whether the SEC 2011 guidance needs to be enhanced; that inquiry may be renewed in the near future in light of the widespread cyber intrusions announced in December and January.
With regard to the current SEC guidance, it is important to remember that the SEC keeps an eye on press reports, and will often cite such reports in its comments. These are not just the big headline-grabbing reports but also more subtle spotlights such as reports that hotels and resorts are increasingly becoming the targets of cyber-attacks.
About the Author
Mary Ellen Callahan, CIPP/US, is a nationally recognized privacy attorney with an extensive background in consumer protection law. As the longest-serving former chief privacy officer of the U.S. Department of Homeland Security—the first statutorily mandated privacy office in any federal agency—Callahan has a unique and broad knowledge of and experience with the interface of the protection of privacy, civil rights and civil liberties with cybersecurity and national security issues. During her tenure at the Department of Homeland Security, Callahan also served as Chief Freedom of Information Act (FOIA) Officer, responsible for centralizing both FOIA and Privacy Act operations to provide policy and programmatic oversight and support implementation across the department. Callahan is the founder and now serves as chair of Jenner & Block’s Privacy and Information Governance Practice.
Elaine Wolff is a corporate attorney who focuses in the areas of corporate finance and securities law. She draws on extensive experience in the public and private sectors, including several roles with the Securities and Exchange Commission from 1997 to 2007. Wolff is highly knowledgeable on the interpretation and application of securities laws to public companies and, in particular, real estate investment trusts. She represents companies in connection with registration statements for capital raising and merger transactions, proxy statements and periodic reports and corporate governance matters.