How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience

Accountability, Cybersecurity, Disclosure, Filings, Financial reporting, Form 8-K, Regulation FD, Risk disclosure, Risk management, SEC, Shareholder communications
More from: Benjamin Pedersen, Brett Novick, David Becker, Jeremy Feigelson, Jim Pastore, Luke Dembosky, Paul Rodel, Debevoise & Plimpton

Luke Dembosky and Jeremy Feigelson are partners at Debevoise & Plimpton LLP. This post is based on a Debevoise & Plimpton publication by Mr. Dembosky, Mr. Feigelson, Jim Pastore, Paul M. Rodel, David M. Becker, Brett M. Novick, and Benjamin R. Pedersen.

Cybersecurity threats pose real challenges for any company, including the theft of valuable intellectual property and the reputational harm caused by losses of customer information. Attendant to the operational and financial challenges associated with cybersecurity threats, SEC reporting companies must also consider their disclosure obligations resulting from the risk or occurrence of data breaches or other cybersecurity events.

During the period from January 2013 through the third quarter 2015, there were 20 reported incidents of major data breaches or cybersecurity events at Fortune 100 companies. While this number is without doubt a fraction of the total cybersecurity events experienced at these and similar companies during that time, a survey of these cybersecurity events, and the manner in which each of the 18 affected companies responded in their SEC filings, is instructive. We have compiled a detailed database, comparing disclosure responses of these companies across a number of vectors in order to guide this complex process.

The bottom line is that most companies did not handle initial disclosure of a breach through a current report on a Form 8-K, instead deferring disclosures to the next periodic filing. Most companies did, however, update disclosures in the context of their annual report.

Initial Disclosure

Current Reports

Initial public announcement of a breach is more typically made via press coverage than in a current report on Form 8-K. Affected companies most often waited for their first subsequent periodic report (i.e., Form 10-Q or Form 10-K) before disclosing the event in SEC filings. Companies that elected to disclose in a current report most often did so where the breach involved customer financial information.

When determining whether or not to report a cybersecurity event, in addition to materiality, registrants must also consider risks associated with drafting initial disclosure with incomplete data. In the immediate aftermath of a major breach, the “known” facts may represent a small piece of the cybersecurity risk mosaic, and companies electing to publicly disclose the occurrence of a cybersecurity event before completing a full investigation risk making incomplete, or, worse yet, inaccurate disclosure. In the initial period following a cybersecurity event, affected companies should also be mindful of selective disclosure issues and their obligations under Regulation FD.

First Subsequent Periodic Report

Affected companies frequently used the first periodic filing after a cybersecurity event to review and update risk factors related to cybersecurity. Where the first periodic filing was a quarterly report, affected companies were more likely to defer updating risk factors, consistent with the generally infrequent practice of updating risk factors in quarterly reports. However, if the cybersecurity event was material to the affected company’s business (and, in particular, if they had previously disclosed the cybersecurity event via a current report), it was more likely for the cyber risk factors to be addressed. On the other hand, if the first subsequent periodic report was an annual report, affected companies almost uniformly took the opportunity to update their cyber risk factors and, in most instances, referred specifically to the cybersecurity event.

Subsequent Updates

Risk Factor Updates

Even where the affected company had updated its cyber risk factors in its first quarterly report following the cybersecurity event, further updates were often included in the first subsequent annual report. Many registrants view annual reports as an opportunity to update and tailor risk factors generally, and the occurrence of an intervening cybersecurity event provides fodder for such fine tuning, including potentially adding specific reference to the cybersecurity event.

Affected companies did not generally engage in continued updating of disclosure in later quarterly reports following the initial disclosure unless the cybersecurity event had an ongoing material impact on the business, for instance as a result of ongoing financial obligations related to cybersecurity events (e.g. litigation or regulatory responses).

Overall, we identified a trend of including specific reference to recent cybersecurity events in risk factors, though some companies instead chose to disclose the types of risks associated with a previous cybersecurity event, without actually calling out the event. This decision may have been driven by the materiality of the cybersecurity event: the less material the event, the less the need to disclose with specificity. Other cyber risk factor trends included noting that both consumer data and employee data may be targeted, the risk of breaches at third parties that handle the registrant’s data, internal procedures in place to protect data and detect breaches and disclosure regarding cyber insurance.

Other Updates

Disclosure related to cybersecurity at affected companies was less frequently included outside of the risk factors. When disclosure appeared elsewhere, the financial statement footnotes or Management’s Discussion and Analysis were most frequent, though disclosure also occasionally appeared in Legal Proceedings and Business sections. Often, disclosure was via cross-reference to the financial statement footnotes, underscoring that such disclosure generally flows from ongoing financial obligations related to cybersecurity events.

There were few instances of cybersecurity disclosure outside of current reports and periodic reports. In the event of a major business or financing transaction, it is possible that disclosure will be necessary as part of the description of that transaction. In certain circumstances, cyber disclosure may also be included in the Proxy Statement following a cybersecurity event, for instance to discuss the formation of a committee to oversee cybersecurity risks. It will be interesting to observe this trend over time, as the SEC continues to focus on cybersecurity, and boards of directors become more involved in overseeing cyber-preparedness and in responding to cybersecurity events.

Conclusion

Calibration of a registrant’s disclosure response must take into account a number of variables, must be done on a case-by-case basis, and must reflect that many key facts and circumstances may not yet be known with certainty. Those companies seeking to mitigate the legal risks that can flow from untimely—or, worse, inaccurate—disclosures would do well to take stock of where their key information assets reside now, and how those assets are protected. That way, in a breach situation, the company may be able to more quickly ascertain whether information was accessed, the nature of the information (if any) that was accessed, and the materiality of the breach.