Just about every survey of General Counsels reveals the same #1 culprit of sleepless nights….. a cybersecurity hack. If you run a business in today’s global environment, it is hard to escape the fundamental reality that it is more than likely a matter of when, not if, you will face a cyber threat. And depending on the nature of your business, that threat can have a wide range of implications. If you are a public company, there is an additional issue to consider… what do you have to disclose to your investors and shareholders?
Being prepared for a hack with a comprehensive written information security plan and an equally robust incident response plan is just one component to be considered if you are a public company. You must also have a plan to meet your reporting and disclosure obligations to a variety of governmental bodies. While measuring your response needs in the wake of a hack, and determining if there are state, federal or international laws and regulations that require reporting, you must also pay close attention to possible disclosure obligations in your SEC filings. Specifically, if you have tripped a disclosure to a state attorney general or your company’s customers, then it is possible you may also have a disclosure obligation to your shareholders.
The SEC is closely watching the developing landscape of cyber intrusions and what must be disclosed publicly. In 2011, The SEC Division of Corporate Finance issued guidance stating, “although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” To read the entire SEC CF Disclosure Guidance click here.
Material information regarding cybersecurity risks and incidents are required to be disclosed in order to ensure that any other required disclosures are not misleading, in light of the circumstances in which they are made. The executive management of any public company is well aware that assessing whether any incident or event has passed the “materiality” threshold to require disclosure in an SEC filing is significantly more challenging than most may realize. Weighing a materiality assessment in connection with a public disclosure against the risks of negative public opinion and potential exposure to possible class action activity is a significant concern. However, the risk of an SEC investigation could very well outweigh short term public opinion concerns. To be certain, an SEC investigation invites unwelcomed public attention and is most certainly worse than the consequences of a voluntary disclosure (recall the Yahoo! Inc. breach and the investigation brought forth by the SEC in 2016).
All public companies should have an incident response plan as part of a good corporate governance process, which should be updated to contemplate changes to any SEC disclosure obligations, including but not limited to additional risk factor disclosure, MD&A updates, revised financial statement and legal proceeding disclosures. Moving swiftly upon learning of a breach to your environment is critical. Please contact us immediately to assist in developing your preparedness plan, including SEC reporting obligations, and any other questions you have regarding cyber exposure.