Leading Digital and Cybersecurity Risk Factor Disclosures for SEC Registrants

Paul Ferrillo is partner at McDermott Will & Emery LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a Professor at Minnesota State University.

As the United States continues to reel under the systemic risks and failures of the expanding coronavirus, cybersecurity risk remains a present and escalating threat to America’s companies and its future. At the same time, the amount of business value reliant upon digital technologies continues to grow.

An accurate understanding of digital and cybersecurity risk is vital to protect investor and public interests now, and into the digital future. Both business risk and litigation risk will continue to grow alongside the migration to the digital future.

And regulators have taken notice. The SEC wants registrants to do a more specific job with risk factor disclosure and to specifically up their game with regard to cybersecurity risk disclosure.

Disclosure plays an important role in risk understanding, reduction, and litigation risk management. When it comes to vigorously defending cybersecurity breaches during litigation, companies depend upon both their actual duties of risk oversight and management, and what they’ve disclosed about risk.

Boardroom oversight of cybersecurity risk is not generally regulated by any particular statute, rule or regulation. It is however “guided” by three factors:  the 2011 Staff SEC Cybersecurity guidance, the 2018 full SEC Commission Cybersecurity Guidance and the element of good faith that is inherent under Delaware law. [1]

Regulatory standards do not yet define the breadth and scope of the duty of boardroom oversight over digital and cybersecurity risk. But what we know is that boardroom oversight will be looked at in the “rear view mirror” of litigation against the company, executive management, and the board of directors.

Because regulatory guidance frequently lags the reality of risk, companies can benefit from instruction beyond the existing SEC guidance and regulations.

For this reason, we set forth a compilation of cybersecurity risk factor disclosures that are instructional of leading practice. Cybersecurity risk factor disclosures are as of yet, under-developed for many registrants. A compilation is therefore a useful practice to present a comprehensive model disclosure that reflects the broad scope and realities of digital and cybersecurity risk.

In addition, we review the 2011 and 2018 SEC cybersecurity guidance to highlight key SEC trends.

The SEC’s Inaugural Guidance: CF Disclosure Guidance: Topic No. 2 (2011) [2]

The 2011 guidance was issued by the SEC’s Division of Corporate Finance and was their first attempt to define the contours of when and what sort of risk disclosure should be issued by registrants to advise them of a company’s cybersecurity risk profile. This guidance was not a rule, regulation or statement of the Commission.

Key to the 2011 guidance was that it recognized cybersecurity risk as a business risk and also identified the balance between meaningful disclosure and the conflict of revealing too much information that could compromise a firm’s cybersecurity posture.

The 2011 guidance addressed the impact of cybersecurity incidents in meaningful detail:

Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation; and
  • Reputational damage adversely affecting customer or investor confidence.

In this first document, the SEC defined the far-reaching business impacts of cybersecurity risk along with its pre- and post-breach costs. This guidance also included suggested areas where cybersecurity related disclosure may be warranted and inaugurated their push for specific guidance, not boilerplate or generic disclosure:

Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure. Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

This inaugural guidance acknowledges third-party risk although it does not explicitly address the growing systemic threats that exist throughout every complex digital business system.

The SEC Turns Up the Heat: 2018 Cybersecurity SEC Commission Guidance

After 2011, business leaders and regulators woke up to cybersecurity risks due to the seemingly daily cybersecurity breaches. First there was the Yahoo breach of 2014, which affected about 500 million customer accounts. [3]  Some of the breaches, like Equifax, were of epic proportions as well, affecting 147 million customers.  Now, apparently the Equifax breach had nation-state implications as well. [4]

In 2018, the SEC stepped in and issued formal interpretive guidance. [5]

The SEC’s 2018 guidance significantly escalated in tone as they stated “Cybersecurity risks pose grave threats to investors, our capital markets and our country.” They also likened digital and cybersecurity risk to the critical power infrastructure that every company relies upon when they said “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”

The SEC added more detail to their list of negative consequences from cybersecurity incidents acknowledging that the stakes are going up with cybersecurity risk. They specifically mention the negative consequences of the broadening legal risk landscape, “including regulatory actions by state and federal governmental authorities and non-US authorities.”

In addition to the expansion of the SEC’s list of negative consequences, the 2018 guidance focused on the “importance of cybersecurity policies and procedures and the application of insider trading provisions in the cybersecurity context.”

Notably, in the SEC’s 2018 guidance they also acknowledged the connection between the board’s role in risk management and cybersecurity risk saying:

“To the extent cybersecurity risks are material to a company’s business, we believe this discussion [under item 407(h) of Regulation S-K and Item 7 of Schedule 14A which requires a company to disclose the extent of its board of directors’ role in the risk oversight of the company] should include the nature of the board’s role in overseeing the management of that risk.”

They went on to say “In addition, we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

In short, in 2018 the SEC made it clear that the buck stops on cybersecurity risk in the corporate boardroom.

Finally, the SEC Commissioners noted that:

“Cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions….”

We find most critical the synergistic approach of the Commission in the 2018 cybersecurity guidance. First the SEC noted the board’s role in discharging its risk oversight duties when it comes to cybersecurity. Second it reaffirmed its view that cybersecurity is a key element of enterprise risk management And third the Commissioners noted the importance that cybersecurity disclosure controls (i.e. escalation of information to the C-Suite and the Board) is critical to allowing disclosure decisions to be made in a timely fashion in compliance with federal securities law.

But opinion of some on the 2018 SEC guidance, including from within the SEC itself, was that the regulation didn’t go far enough to protect investors and the public. [6]

In consideration of this, and recognizing the expanding cybersecurity threat along with the increasing amount of business value that is being derived by digital means, we offer a comprehensive instructional disclosure for digital and cybersecurity risk in the form of a compilation of select risk factor disclosures from some leading companies.

A Leading Practices Compilation of Risk Factor Disclosures on Digital and Cybersecurity Risk

This model instructional disclosure is comprised of actual risk factor statements from Form 10-K disclosure statements related to digital and cybersecurity risk. It is compiled against the eight critical domains of systemic risk that exist in every complex digital business system, i.e., data, iArchitecture, risk communications, emerging technology, cybersecurity, third-party, operations of IT and regulation. [7]  The compiled disclosure follows:

Item 1A: Risk Factors

If our electronic data is compromised our business could be significantly harmed.

We and our business partners maintain significant amounts of data electronically in locations around the world. This data relates to all aspects of our business, including current and future products and entertainment under development, and also contains certain customer, consumer, supplier, partner and employee data. We maintain systems and processes designed to protect this data, but notwithstanding such protective measures, there is a risk of intrusion, cyber-attacks or tampering that could compromise the integrity and privacy of this data. In addition, we provide confidential and proprietary information to our third-party business partners in certain cases where doing so is necessary to conduct our business. While we obtain assurances from those parties that they have systems and processes in place to protect such data, and where applicable, that they will take steps to assure the protections of such data by third parties, nonetheless those partners may also be subject to data intrusion or otherwise compromise the protection of such data. Any compromise of the confidential data of our customers, consumers, suppliers, partners, employees or ourselves, or failure to prevent or mitigate the loss of or damage to this data through breach of our information technology systems or other means could substantially disrupt our operations, harm our customers, consumers, employees and other business partners, damage our reputation, violate applicable laws and regulations, subject us to potentially significant costs and liabilities and result in a loss of business that could be material. (Systemic risk domains: Data, Source: Hasbro Inc. FORM 10-K FYE 12/29/2019)

Defects or disruptions in our services could diminish demand for our services and subject us to substantial liability.

Because our services are complex and incorporate a variety of hardware, proprietary software and third-party software, our services may have errors or defects that could result in unanticipated downtime for our subscribers and harm to our reputation and our business. Cloud services frequently contain undetected errors when first introduced or when new versions or enhancements are released. We have from time to time found defects in, and experienced disruptions to, our services and new defects or disruptions may occur in the future. Such defects could also create vulnerabilities that could inadvertently permit access to protected customer data. For example, in fiscal 2020, we experienced a significant service disruption due to an internally deployed software update that had an unintended impact on our services for certain customers. As a precaution, we immediately disabled access to our services for potentially impacted customers while we worked to remediate the issue. Upon completion of the evaluation of the cause and impact of the disruption, we determined it did not materially affect our business, reputation or financial results. (Systemic risk domains: iArchitecture, Source: salesforce.com, inc. FORM 10-K FYE 1/31/2020)

A failure to keep pace with developments in technology could impair our operations or competitive position.

Our business continues to demand the use of sophisticated systems and technology. These systems and technologies must be refined, updated and replaced with more advanced systems on a regular basis in order for us to meet our customers’ demands and expectations. If we are unable to do so on a timely basis or within reasonable cost parameters, or if we are unable to appropriately and timely train our employees to operate any of these new systems, our business could suffer. We also may not achieve the benefits that we anticipate from any new system or technology, such as fuel abatement technologies, and a failure to do so could result in higher than anticipated costs or could impair our operating results. (Systemic risk domains: Emerging Technology, Source Norwegian Cruise Lines Holding Ltd. FORM 10-K FYE 12/31/2019)

An information security incident, including a cybersecurity breach, could have a negative impact to the Company’s business or reputation

To meet business objectives, the Company relies on both internal information technology (IT) systems and networks, and those of third parties and their vendors, to process and store sensitive data, including confidential research, business plans, financial information, intellectual property, and personal data that may be subject to legal protection. The extensive information security and cybersecurity threats, which affect companies globally, pose a risk to the security and availability of these IT systems and networks, and the confidentiality, integrity, and availability of the Company’s sensitive data. The Company continually assesses these threats and makes investments to increase internal protection, detection, and response capabilities, as well as ensure the Company’s third party providers have required capabilities and controls, to address this risk. To date, the Company has not experienced any material impact to the business or operations resulting from information or cybersecurity attacks; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. The Company maintains cybersecurity insurance in the event of an information security or cyber incident, however, the coverage may not be sufficient to cover all financial losses. (Systemic risk domains: Cybersecurity and Third-Party, Source: Johnson & Johnson FORM 10-K FYE 12/29/2019)

Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources.

As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative will place significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort will be time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources. (Risk factor domains: Risk Communications and Operations of IT, Source Equifax Inc. FORM 10-K FYE 12/31/2019)

We may face particular data protection, data security and privacy risks in connection with the European Union’s Global Data Protection Regulation and other privacy regulations.

Strict data privacy laws regulating the collection, transmission, storage and use of employee data and consumers’ personally-identifying information are evolving in the European Union, U.S. and other jurisdictions in which we operate. The GDPR, which became effective on May 25, 2018, imposes new compliance obligations for the collection, use, retention, security, processing, transfer and deletion of personally identifiable information of individuals and creates enhanced rights for individuals. In the CCPA, which grants expanded rights to access and delete personal information, and the right to opt out of the sale of personal information, among other things, became effective on January 1, 2020.

These changes in the legal and regulatory environments in the areas of customer and employee privacy, data security, and cross-border data flows could have a material adverse effect on our business, primarily through the impairment of our marketing and transaction processing activities, the limitation on the types of information that we may collect, process and retain, the resulting costs of complying with such legal and regulatory requirements and potential monetary forfeitures and penalties for noncompliance. (Systemic risk domains: Regulation, Source: Hertz Inc. Form 10-K FYE 12/31/2019)

The compilation of digital and cybersecurity risk related disclosures we shared in this document provides an instructional model of the unique digital and cybersecurity risk factors that investors and the public need to understand for these companies.  The increasing amount of business value at stake and liability for companies and directors, mandates accurate disclosure and risk mitigation to these issues.

Endnotes

1See “Boards should care more about Recent Caremark Claims and Cybersecurity,” available at   https://corpgov.law.harvard.edu/2020/09/15/boards-should-care-more-about-recent-caremark-claims-and-cybersecurity/(go back)

2https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm(go back)

3See https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-hackers-stole-data-from-500-million-accounts-in-2014-idUSKCN11S16P. (go back)

4See https://krebsonsecurity.com/2020/02/u-s-charges-4-chinese-military-officers-in-2017-equifax-hack/.(go back)

5See “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” 17 CFR Parts 229 and 249 available at https://www.sec.gov/rules/interp/2018/33-10459.pdf. (go back)

6See https://www.marketwatch.com/story/sec-issues-updated-cybersecurity-risk-guidance-but-some-say-not-nearly-enough-2018-02-21 (go back)

7The DiRECTOR™ framework for understanding systemic risk in complex digital business systems was created by Digital Directors Network.(go back)

Both comments and trackbacks are currently closed.