Disclosures 2012: level of cyber-security risk disclosures varies after new SEC guidance
NEW YORK, April 6 (Business Law Currents) – Ever-growing reliance on technology in customer interactions, proprietary data storage and even normal business operations is creating increased risk for companies working to ensure these systems remain uncompromised. As threats of cyber-attacks expand across industries, and given the potential material impact on operations, the security of these digital technologies from internal and external threats is vital.
Prior to newly released SEC guidance, there were no existing requirements to explicitly disclose these cyber-risks. With annual reports now being filed and sent to shareholders, companies have made varied levels of cyber-risk disclosure, and these disclosures may expand in the future with subsequent regulatory oversight.
On October 13, 2011, the Division of Corporation Finance of the Securities and Exchange Commission (DoCF) issued CF Disclosure Guidance: Topic #2 (Guidance), related to disclosure obligations regarding cyber-security risks and cyber-incidents for public companies dependent on digital technologies. The non-binding Guidance was provided in response to a growing sentiment that there needed to be a better matrix within which risk disclosures are made under federal securities laws.
The Guidance leaves the inclusion of cyber-security risks to the individual company, but stresses that relevant risk disclosures do not need to be detailed to the extent they would harm security efforts. However, it recommends that any risk disclosure be company-specific in nature.
While the Guidance contains broad language regarding the manner in which a cyber-attack may occur, cyber-related disclosures should be evaluated when companies prepare disclosures in their Forms 10-K, 20-F, 40-F, as well as financial statements and annual reports. The management discussion and analysis section could be the ideal place to address cyber-security risk or cyber-incidents if costs or consequences related to known incidents or risk of possible incidents present a material event, trend or uncertainty reasonably likely to have a material effect on a company’s results or financial condition.
10-Ks generally highlight cyber-security issues in their risk factor sections with varying degrees of specificity as to the nature and scope of risks. A good example of a disclosure with wide scope is that of NBCUniversal Media, LLC, which states that activities such as computer hacking, cyber-attacks, or “other malicious activities” could disrupt services. It also mentions that security breaches such as misusage and “leakage” could lead to significant capital outlays and that insurance may not cover.
Some 10-K disclosures are more specific and run a lengthier list of risk factors. KBR, Inc’s risk factors section mentions that failure or disruption of their IT systems could disrupt or decrease performance with litigation contingencies clearly delineated. Supermedia Inc states that breaches of cyber/data security measures such as loss of confidential or proprietary data could materially and adversely affect their reputation.
While these examples show that disclosure standards are varied across companies, the notification standards following a security breach appear equally in flux. US Airways Group Inc states in its 10-K that, in light of cyber-security risks, it has seen a heightened legislative and regulatory focus on data security. This focus includes requirements for “varying levels of customer notification” in the event of a breach. Geeknet Inc notes in its risk factors section that a security breach due to cyber-attacks that leads to misuse of customer information could compel the company to comply with “disparate breach notification laws in various jurisdictions.”
Cyber-threats may appear more prominently in certain industries, particularly ones where large amounts of personal data are handled on a daily basis. Retailers, already keenly aware of privacy laws and their effect on how sensitive personal data may be collected and used, need to be especially aware of the risks cyber-threats present. A cyber-attack on the computer systems holding such sensitive information could result in a breach of these privacy laws.
Some retailers have begun to disclose these risks within their risk factors. Chicos FAS Inc states in its 10-K that it has a cyber-security risk due to the nature of its business involving the storage and transmission of customers’ personal information. Chicos also notes that a successful attack could result in its reputation being damaged, potential lost business, and fines due to non-compliance with privacy laws. Similarly, Nordstrom Inc states that its risk extends to its own credit operations, social networking and “other online activities” it uses to connect with customers.
Children’s Place Retail Stores Inc goes into greater detail with respect to the risks cyber-threats pose, and the mitigating actions it has taken. The company notes that a cyber-attack could result in the theft of confidential data, operational delays resulting from disruption of the computer network, negative publicity and lost sales. While the systems and procedures it has in place meet the Payment Card Industry data security standards, the company notes that customers have high expectations for the protection of their personal data.
The healthcare industry also faces an increased cyber-security risk for its storage of sensitive patient information, which is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Retirement home operator AdCare Health Systems Inc sees threats for cyber-attacks to its computer systems in the processing, transmission and storing of sensitive patient information. AdCare notes that if patient data is improperly accessed it may face sanctions or criminal procedures if it were found to be in violation of privacy rules under HIPAA.
When a company experiences a cyber-incident, the Guidance notes that a company may need to disclose the incident and its effects rather than make a general risk disclosure to cyber-threats. Global Payments Inc acknowledged that cyber attacks had breached its systems, and that the unauthorized access included sensitive credit card data. While the company has not been able to measure the full effects of the breach, it disclosed that it has increased its network monitoring and security measures in response. Similarly, Zogenix Inc disclosed that it experienced information system failures that may have been the result of a cyber-attack. The security breach disrupted normal business operations and took a “substantial expenditure” of financial resources to remedy.
While not an outright security breach, Northrim Bancorp Inc disclosed that it is exposed to cyber-attacks in the normal course of business. Northrim believes that these attacks are made for the intended theft of financial assets, but has not incurred material losses related to any attack.
The risk of cyber-attacks in a digital world is unlikely to diminish. Companies must seek to secure themselves from attacks or face the financial, legal and reputational damage that a security breach would cause. Sound corporate governance practices including extensive shareholder communication and timely disclosure will ensure that investors are fully aware of the risks involved. The SEC’s current non-binding guidance is a step in the right direction, but as cyber-threats become an increasing threat on the corporate landscape, further guidance may become far more stringent.
(This article was first published by Thomson Reuters’ Business Law Currents, a leading provider of legal analysis and news on governance, transactions and legal risk. Visit Business Law Currents online at http://currents.westlawbusiness.com. )