Disclosures 2012: level of cyber-security risk disclosures varies after new SEC guidance

By Guest Contributor
April 6, 2012

By Robert Kalb

NEW YORK, April 6 (Business Law Currents) – Ever-growing reliance on technology in customer interactions, proprietary data storage and even normal business operations is creating increased risk for companies working to ensure these systems remain uncompromised. As threats of cyber-attacks expand across industries, and given the potential material impact on operations, the security of these digital technologies from internal and external threats is vital.

Prior to newly released SEC guidance, there were no existing requirements to explicitly disclose these cyber-risks. With annual reports now being filed and sent to shareholders, companies have made varied levels of cyber-risk disclosure, and these disclosures may expand in the future with subsequent regulatory oversight.

On October 13, 2011, the Division of Corporation Finance of the Securities and Exchange Commission (DoCF) issued CF Disclosure Guidance: Topic #2 (Guidance), related to disclosure obligations regarding cyber-security risks and cyber-incidents for public companies dependent on digital technologies. The non-binding Guidance was provided in response to a growing sentiment that there needed to be a better matrix within which risk disclosures are made under federal securities laws.

The Guidance leaves the inclusion of cyber-security risks to the individual company, but stresses that relevant risk disclosures do not need to be detailed to the extent they would harm security efforts. However, it recommends that any risk disclosure be company-specific in nature.

While the Guidance contains broad language regarding the manner in which a cyber-attack may occur, cyber-related disclosures should be evaluated when companies prepare disclosures in their Forms 10-K, 20-F, 40-F, as well as financial statements and annual reports. The management discussion and analysis section could be the ideal place to address cyber-security risk or cyber-incidents if costs or consequences related to known incidents or risk of possible incidents present a material event, trend or uncertainty reasonably likely to have a material effect on a company’s results or financial condition.

10-Ks generally highlight cyber-security issues in their risk factor sections with varying degrees of specificity as to the nature and scope of risks. A good example of a disclosure with wide scope is that of NBCUniversal Media, LLC, which states that activities such as computer hacking, cyber-attacks, or “other malicious activities” could disrupt services. It also mentions that security breaches such as misusage and “leakage” could lead to significant capital outlays and that insurance may not cover.

Some 10-K disclosures are more specific and run a lengthier list of risk factors. KBR, Inc’s risk factors section mentions that failure or disruption of their IT systems could disrupt or decrease performance with litigation contingencies clearly delineated. Supermedia Inc states that breaches of cyber/data security measures such as loss of confidential or proprietary data could materially and adversely affect their reputation.

While these examples show that disclosure standards are varied across companies, the notification standards following a security breach appear equally in flux. US Airways Group Inc states in its 10-K that, in light of cyber-security risks, it has seen a heightened legislative and regulatory focus on data security. This focus includes requirements for “varying levels of customer notification” in the event of a breach. Geeknet Inc notes in its risk factors section that a security breach due to cyber-attacks that leads to misuse of customer information could compel the company to comply with “disparate breach notification laws in various jurisdictions.”

Cyber-threats may appear more prominently in certain industries, particularly ones where large amounts of personal data are handled on a daily basis. Retailers, already keenly aware of privacy laws and their effect on how sensitive personal data may be collected and used, need to be especially aware of the risks cyber-threats present. A cyber-attack on the computer systems holding such sensitive information could result in a breach of these privacy laws.

Some retailers have begun to disclose these risks within their risk factors. Chicos FAS Inc states in its 10-K that it has a cyber-security risk due to the nature of its business involving the storage and transmission of customers’ personal information. Chicos also notes that a successful attack could result in its reputation being damaged, potential lost business, and fines due to non-compliance with privacy laws. Similarly, Nordstrom Inc states that its risk extends to its own credit operations, social networking and “other online activities” it uses to connect with customers.

Children’s Place Retail Stores Inc goes into greater detail with respect to the risks cyber-threats pose, and the mitigating actions it has taken. The company notes that a cyber-attack could result in the theft of confidential data, operational delays resulting from disruption of the computer network, negative publicity and lost sales. While the systems and procedures it has in place meet the Payment Card Industry data security standards, the company notes that customers have high expectations for the protection of their personal data.

The healthcare industry also faces an increased cyber-security risk for its storage of sensitive patient information, which is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Retirement home operator AdCare Health Systems Inc sees threats for cyber-attacks to its computer systems in the processing, transmission and storing of sensitive patient information. AdCare notes that if patient data is improperly accessed it may face sanctions or criminal procedures if it were found to be in violation of privacy rules under HIPAA.

When a company experiences a cyber-incident, the Guidance notes that a company may need to disclose the incident and its effects rather than make a general risk disclosure to cyber-threats. Global Payments Inc acknowledged that cyber attacks had breached its systems, and that the unauthorized access included sensitive credit card data. While the company has not been able to measure the full effects of the breach, it disclosed that it has increased its network monitoring and security measures in response. Similarly, Zogenix Inc disclosed that it experienced information system failures that may have been the result of a cyber-attack. The security breach disrupted normal business operations and took a “substantial expenditure” of financial resources to remedy.

While not an outright security breach, Northrim Bancorp Inc disclosed that it is exposed to cyber-attacks in the normal course of business. Northrim believes that these attacks are made for the intended theft of financial assets, but has not incurred material losses related to any attack.

The risk of cyber-attacks in a digital world is unlikely to diminish. Companies must seek to secure themselves from attacks or face the financial, legal and reputational damage that a security breach would cause. Sound corporate governance practices including extensive shareholder communication and timely disclosure will ensure that investors are fully aware of the risks involved. The SEC’s current non-binding guidance is a step in the right direction, but as cyber-threats become an increasing threat on the corporate landscape, further guidance may become far more stringent.

(This article was first published by Thomson Reuters’ Business Law Currents, a leading provider of legal analysis and news on governance, transactions and legal risk. Visit Business Law Currents online at http://currents.westlawbusiness.com. )


We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

Very neat article post.Really looking forward to read more.

Thanks a lot for the post.Really thank you! Much obliged.

I really liked your article.Really looking forward to read more. Cool.

I loved your blog post.Really looking forward to read more. Cool.

Looking forward to reading more. Great blog article.Really looking forward to read more. Really Cool.

Looking forward to reading more. Great article post.Thanks Again.

I really like and appreciate your post.Really looking forward to read more. Keep writing.

This is one awesome blog post. Awesome.

I cannot thank you enough for the blog article.Much thanks again.

Thanks for sharing, this is a fantastic article post.Really looking forward to read more. Awesome.

Very neat blog.Thanks Again. Awesome.

Thanks for sharing, this is a fantastic article post.Thanks Again. Really Cool.

I appreciate you sharing this blog article.Thanks Again. Will read on…

Im grateful for the blog post.Much thanks again. Cool.

Really appreciate you sharing this blog.Really thank you! Awesome.

Thanks for sharing, this is a fantastic blog post.Much thanks again. Will read on…

I cannot thank you enough for the blog article.Thanks Again. Much obliged.

I love looking through an article that will make people think. Also, many thanks for allowing for me to comment!

A round of applause for your article.Really looking forward to read more. Really Great.

Major thanks for the post.Much thanks again. Fantastic.

Thanks for sharing, this is a fantastic blog.Really looking forward to read more.

Thanks so much for the post. Great.

This is a topic that’s near to my heart… Best wishes! Where are your contact details though?

Very neat article.

Im thankful for the blog article. Fantastic.

Spot on with this write-up, I truly feel this site needs a lot more attention. I’ll probably be back again to see more, thanks for the information!

Im obliged for the article post. Really Great.

Hey, thanks for the blog.Thanks Again. Really Great.

Im thankful for the blog.Really thank you! Really Cool.

Great blog article.Really looking forward to read more. Awesome.

Thanks so much for the article. Keep writing.

I think this is a real great blog post.Much thanks again. Will read on…

I cannot thank you enough for the blog post.Really looking forward to read more. Much obliged.

A round of applause for your article. Cool.

Wow, great article.Thanks Again. Fantastic.

Thank you ever so for you post.Thanks Again. Will read on…

I truly appreciate this blog post.Much thanks again. Keep writing.

I cannot thank you enough for the blog post.Really thank you! Really Cool.

Looking forward to reading more. Great article.Really looking forward to read more. Great.

Fantastic article.Really thank you! Want more.

I was suggested this website by my cousin. I am not sure whether this post is written by him as no one else know such detailed about my difficulty. You are wonderful! Thanks!

I used to be able to find good info from your content.

Nice post. I learn something totally new and challenging on blogs I stumbleupon every day. It’s always helpful to read through content from other authors and use something from their web sites.

This website really has all the information I wanted about this subject and didn’t know who to ask.

I blog frequently and I truly appreciate your information. This great article has really peaked my interest. I’m going to take a note of your site and keep checking for new details about once a week. I subscribed to your RSS feed too.

This web site really has all the information and facts I needed concerning this subject and didn’t know who to ask.

I used to be able to find good info from your articles.

There’s definately a great deal to find out about this subject. I love all of the points you’ve made.

After I initially left a comment I appear to have clicked the -Notify me when new comments are added- checkbox and now each time a comment is added I recieve 4 emails with the exact same comment. Perhaps there is a way you can remove me from that service? Kudos!