Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices — or lack thereof. This monthly series is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations.  Part five explained the patchwork of state laws that require companies to notify consumers and state regulators of certain data breaches.

Part 6: What are the SEC’s cybersecurity reporting rules for publicly traded companies?                                              

As data breaches, denial of service attacks, and other cybersecurity incidents increasingly threaten companies’ bottom lines, executives understandably want to know whether they should be reporting these risks to shareholders and securities regulators.

The Securities Exchange Act of 1934, and the accompanying regulations adopted by the Securities and Exchange Commission, require publicly traded companies to disclose significant risk factors, incidents that materially affect the company’s operations or financial condition, large ongoing litigation, and other information that could affect investors’ decisions. 

As we’ve discussed in previous installments of this series, cybersecurity incidents can cost companies millions of dollars in lost revenues, remediation costs, legal fees, and court verdicts or settlements. Accordingly, any significant cybersecurity risks or incidents appear to be likely candidates for disclosures in SEC filings.

But as with many legal issues, there are very few black-letter rules that instruct companies when they face this obligation. Although the statute and SEC regulations require disclosures of material risks, they do not mention cybersecurity.

The closest guidance to which publicly traded companies can look is a document published by the SEC’s Division of Corporation Finance in October 2011.  Although this is a non-binding document – and was not approved by the full Commission – over the past five years, companies have frequently looked to this guidance in determining how to disclose cybersecurity risks and incidents. In this guidance, the SEC describes how certain disclosure requirements might apply to cybersecurity issues. 

The SEC’s regulations require companies to disclose “risk factors” in their annual reports (known as 10-Ks).  The regulations define “risk factors” as “the most significant factors that make the offering speculative or risky.” In its cybersecurity guidance, the SEC stated that when determining whether to disclose cybersecurity risk factors, they should consider the frequency and severity of previous incidents, the likelihood of future incidents, and “the quantitative and qualitative magnitude of those risks.” Among the specific disclosures that companies should make, the SEC stated, are the cybersecurity risks of outsourcing, applicable insurance, and the specific aspects of the company’s business that could create cybersecurity risks.

Although the SEC warns companies to avoid “boilerplate” disclosures of cybersecurity risks, it also noted that companies are not required to disclose facts that “would compromise a registrant’s cybersecurity.” The SEC encourages companies to “provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”

In practice, many companies have found it difficult to fully disclose cybersecurity risks without compromising security. Moreover, detailed disclosures could put them at risk for class action lawsuits, and expose valuable information to competitors.  This has led many companies to provide broad “boilerplate” disclosures of cybersecurity issues in the “Risk Factors” section, for instance, broadly warning about the risk of litigation and service disruption arising from data breaches.  “Companies don’t want to be at the risk of omitting material information, so they put in a boilerplate statement,” Jean Rogers, chief executive of the Sustainability Accounting Standards Board, told ComplianceWeek last year.

The SEC guidance also suggested that companies consider mentioning cybersecurity risks in other portions of their 10-K filings. For instance, companies should disclose cybersecurity risks in Management’s Discussion of Analysis of Financial Condition and Results of Operations if cybersecurity incidents are “reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” 

Companies should discuss cybersecurity in the 10-K filing’s "Description of Business” if cyber incidents “materially affect” services, products, or business relationships. And companies are required to disclose material pending legal proceedings, including data breach class action lawsuits.

Companies face a more immediate – and difficult – question in the days after they have experienced a data breach: do they immediately report the incident to shareholders through an SEC filing? Companies may file a form 8-K if an event occurs that the company “deems of importance to security holders.” Unlike 10-K forms, which are filed annually, 8-Ks can be filed at any time throughout the year.

Many — but not all — publicly traded companies that have experienced highly publicized data breaches have filed 8-K forms to disclose the breaches to the SEC and shareholders. However, there often is a lag. For instance, on Feb. 26, 2014, Target disclosed the massive data breach that it experienced during the 2013 holiday shopping season. In the 8-K, Target stated that the breach “has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.”

Although the SEC’s cybersecurity disclosure guidance for publicly traded companies is a bit murky, companies should keep an eye out for potential changes to the SEC’s expectations. The SEC staff guidance is nearly five years old – and much has changed in the cybersecurity landscape since then. In 2014, the SEC held a roundtable on its cybersecurity disclosure requirements. At the roundtable, SEC Chair Mary Jo White noted that staff had continued to study cybersecurity issues, “including the intersection of our investor-focused disclosure requirements and the types of information those with national security responsibility need in order to better protect our critical infrastructure.” 

And in June 2015, Reps. Jim Langevin and Jim Himes wrote a letter to White, in which they urged the SEC to require 10-K filings to contain a “clear description” of a number of cybersecurity issues, including how the company “determines the best cybersecurity practices for its industry,” whether the company conforms to those practices, the company’s cybersecurity plan, and the involvement of top management and the board of directors in cyber incidents. 

photo credit: Dell Women's Entrepreneur Network 2014 - Austin via photopin (license)