Luke Dembosky and Jeremy Feigelson are partners at Debevoise & Plimpton LLP. This post is based on a Debevoise & Plimpton publication by Mr. Dembosky, Mr. Feigelson, Jim Pastore, Paul M. Rodel, David M. Becker, Brett M. Novick, and Benjamin R. Pedersen.
Cybersecurity threats pose real challenges for any company, including the theft of valuable intellectual property and the reputational harm caused by losses of customer information. Attendant to the operational and financial challenges associated with cybersecurity threats, SEC reporting companies must also consider their disclosure obligations resulting from the risk or occurrence of data breaches or other cybersecurity events.
During the period from January 2013 through the third quarter 2015, there were 20 reported incidents of major data breaches or cybersecurity events at Fortune 100 companies. While this number is without doubt a fraction of the total cybersecurity events experienced at these and similar companies during that time, a survey of these cybersecurity events, and the manner in which each of the 18 affected companies responded in their SEC filings, is instructive. We have compiled a detailed database, comparing disclosure responses of these companies across a number of vectors in order to guide this complex process.