Here’s what directors need to know about what to say and when to say it.
By Edward Normandin and Matthew Repetto
Last April, the Securities and Exchange Commission (SEC) reached a settlement of $35 million with Altaba, Inc. over charges that the company misled investors by failing to disclose a massive 2014 cyber breach.
The settlement against Altaba, formerly known as Yahoo! Inc., came just a few months after the SEC published new guidance on cybersecurity disclosures.
While this SEC enforcement action was the first of its kind, it, along with the release of the 2018 guidance and the increasing frequency of cybersecurity-related comments from the agency, signaled the SEC’s heightened attention to cybersecurity disclosure and the need to properly and promptly disclose breaches.
Such disclosure decisions, however, can be difficult for directors and officers and should be handled carefully in light of the possible business, financial and legal implications.
When a U.S. public company suffers a cybersecurity attack, its directors and officers have a responsibility to ensure that their company takes appropriate steps to investigate, evaluate and remedy the breach. Presently, there are no explicit cybersecurity disclosure requirements, which has led to uncertainty around a company’s duty to disclose.
For example, when Home Depot, EMC and Heartland Payment Systems endured cyberattacks, each company elected to file a standard investor notification document known as Form 8-K to report the event while others, such as Target, Altaba and Michael’s Stores, did not.
Absent explicit disclosure requirements, the duty to disclose is evaluated using conventional disclosure principles, which turn upon whether or not the information or event is "material."
Information is "material" if there is a substantial likelihood that it would be viewed by a reasonable investor to have significantly altered the total mix of available information. Materiality judgments necessarily vary from company to company and a public company must weigh numerous qualitative and quantitative factors to reach its own materiality determination. Once a materiality determination has been made, it is the duty of directors and officers to ensure the company properly discloses the material information related to the cybersecurity breach.
In the course of this process, directors and officers should pay mind to the following considerations:
Gather all relevant information and make an informed materiality judgment. Determining the "materiality" of a cybersecurity breach requires directors and officers to be informed of all relevant information. The most proactive of companies will have disclosure controls and procedures already in place which provide the board and senior management with information on the impact the incident will have on the company’s business, and perhaps also have internal protocols for determining materiality.
With relevant information in hand, management can begin to review the qualitative and quantitative factors they deem necessary to make a materiality assessment. In this context, factors to consider are:
- The importance of the compromised data or information to the company;
the nature, extent and potential magnitude of any compromised information;
- the likely impact of the incident on company operations;
- the range of harm that the incident (e.g. financial, legal, reputational, relational) could cause;
- and the possibility of regulatory action (e.g. by the Federal Trade Commission, Department of Health & Human Services, Federal Communications Commission, SEC, State Attorneys general or foreign governments) or litigation (e.g. civil suit, class action suit).
Disclose promptly but not prematurely. The occurrence of the cyber breach in and of itself is not a required disclosure absent a determination of materiality, so public companies need not rush to immediately report the breach on Form 8-K or in a press release. However, companies should quickly assemble their response teams and gather facts relating to the event so that management can make a prompt initial assessment of materiality and disclose accordingly. A premature disclosure that lacks sufficient information for an investor to consider and/or which may later prove to be materially incorrect, can be very damaging. On the other hand, delaying an initial disclosure until an internal or external investigation is completed is likely to be too late in the eyes of the SEC and shareholders.
Provide meaningful updates to prior disclosures. During the course of a proper internal or external investigation, the targeted public company will learn more about the nature and importance of the lost, stolen or accessed data and information, the extent and scope of the breach and its existing and the potential impact on the company’s operations, financial performance, and customer and vendor relationships, among other things.
Such new information may itself be material or it may reveal that an earlier disclosure was incorrect or potentially misleading. In some instances, securities laws impose a duty to promptly correct and update prior disclosures when such disclosures become misleading in light of later events. Depending on the nature of the updated information, it may be advisable to disclose in a Form 8-K. In other instances it may suffice to delay disclosure until the next periodic filing (e.g. Form 10-Q or 10-K). Other updates may include remediation efforts made by the company to address the breach and the current status of any law enforcement action or regulatory investigation.
Cooperate with regulatory investigations and actions by governmental authorities and non-U.S. authorities. A public company’s incident response plan will typically call for notifying proper law enforcement or other governmental authorities following a company’s initial assessment of a cyber-related breach. It is crucial to cooperate with any investigation and discuss and coordinate any public statements to the news media or in a company’s SEC filings. This may require a balancing of interests between maintaining confidentiality of an investigation and a company’s disclosure duties.
It should be noted that the SEC has cautioned that an ongoing internal or external investigation would not on its own provide a basis for avoiding or delaying disclosure of a material cybersecurity incident.
Going forward, provide more robust cybersecurity risk disclosure in Forms 10-Q and 10-K. Ideally, prior to the occurrence of a cybersecurity breach or incident, a public company will have been proactive about its cybersecurity risk disclosures. This includes having one or more tailored risk factors in its Form 10-K and addressing cybersecurity risks in other sections of the Form 10-Q and Form 10-K, such as in its discussions of the business, management’s discussion and analysis of its financial position and results of operations, disclosure controls and procedures, and corporate governance sections.
The occurrence of a breach incident will necessitate updating and/or refining current and forward-looking disclosures to account for, among other things, the recent cybersecurity incident, the potential financial and operational impact of the incident and any future incident and the company’s response readiness (both operationally and financially).
Cybersecurity risk and incident disclosures, generally, are still in their infancy and disclosure best practices will take time to fully develop. In the meantime, upon a cybersecurity breach, the directors and officers of a U.S. public company should engage the proper internal and external personnel and carefully assess its materiality before making the difficult and sensitive decisions about what and when to disclose in its SEC filings.
Edward Normandin is a partner in Pryor Cashman’s Corporate Group, where he represents businesses at all stages of growth on compliance, governance and financing issues, and a range of transactional matters. Matthew Repetto is an associate in Pryor Cashman’s Corporate Group, where he advises public and private companies on transactions and general corporate matters.