NYLJ.COM |
Cybersecurity | MONDAY, JUNE 5, 2017 | S5
guidance on disclosing cybersecurity risks and incidents to investors.4 The guidance acknowledged that public companies are not explicitly required to disclose cyber risks and incidents, but noted that certain disclo- sure requirements “may impose an obliga- tion” for such disclosure. Those obligations may include situations where cybersecurity factors are “among the most significant” in making the investment risky, or where they materially affect the company’s operations or financial condition.
This “materiality” test allows companies to decide whether a data breach is material enough to warrant SEC disclosure. Perhaps unsurprisingly, a 2016 Audit Analytics study of SEC filings revealed that only 95 of the approximately 9,000 publicly listed companies have informed the SEC of a data breach since January 2010.5 It appears that many public companies thus do not disclose breaches that may adversely affect their financial perfor- mance, based on their own determination that the breach is immaterial to an investor’s decision to purchase the company’s stock.
Despite the limited number of cybersecurity disclosures, the SEC has yet to bring a formal enforcement action against a company for failure to disclose cyber incidents and risks.
Although Clayton emphasized that materi- ality remains the “touchstone” for evaluating whether to disclose information to an investor, he did not commit to issuing any additional guidance or offer an alternative path (legis- lative or regulatory) to address disclosures. Absent further guidance, companies may have limited information to help guide what is ulti- mately a very subjective determination about which attacks are material—a concern that is compounded for companies that face constant attacks and attempted breaches.
Enforcement Activity
Despite the limited number of cybersecu- rity disclosures, the SEC has yet to bring a formal enforcement action against a company for failure to disclose cyber incidents and risks. Recent statements from the Enforce- ment Division, however, make clear that the Commission has not ruled out doing so. Speaking at the International Association of Privacy Professionals’ Global Privacy Sum- mit in April, acting Enforcement Director Stephanie Avakian said she “absolutely” saw circumstances where the SEC would bring an enforcement action for inadequate disclo- sures either before or after a data breach.6 Avakian explained that the SEC was not inter- ested in second-guessing a company’s good- faith disclosure decision or “looking for a slip on the banana peel,” but would instead focus on significant disclosure failures.
The SEC’s continued evaluation of what constitutes a significant failure is worth watching under Clayton, who testified that he has “every confidence” that the Enforce-
ment Division will continue to drive the SEC’s enforcement activity. Members of Congress may also increase pressure on the agency to take more aggressive enforcement steps. For example, in the wake of Yahoo’s disclo- sure last year of a data breach affecting 500 million user accounts in 2014, Sen. Warner requested that then-Chair Mary Joe White “investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed.”7
Before the SEC can meaningfully step-up enforcement, it may have to first confront whether clarified or additional guidance is necessary on the materiality standard. Additionally, the SEC could explore alterna- tive approaches to improve understanding among public companies about when and under what circumstances disclosure is required—such as technical assistance and educational campaigns. A direct move to an aggressive enforcement posture absent such steps could have perverse results: Companies might find themselves with the incentive to over-disclose, leaving investors confused and unable to sort meaningful risks and events from less significant cyber incidents. In the short term, more guidance, and less enforce- ment, will help companies better navigate materiality determinations.
Conclusion
It remains to be seen how aggressive Clay- ton’s SEC will be in enforcing cybersecurity disclosures. During a panel at the Global Pri- vacy Summit, Fort Worth Regional Director Shamoil Shipchandler said the SEC remains in the “development phase” of cybersecu- rity enforcement.8 While it develops those enforcement mechanisms, the SEC has been willing to pursue cases under other parts of its cybersecurity authority, including the “Safeguards Rule,” which requires registered broker-dealers, investment companies, and investment advisers to adopt written proce- dures reasonably designed to protect cus- tomer data.
When Clayton wrote, as a private practi- tioner, that “the world is in the early stages” of coming to terms with cybersecurity and “[n]ow is the time to become wiser,” it was June 2015, and his ascent to the SEC was nowhere on the horizon. Now that he has a high-profile platform for raising awareness— and for requiring public companies to own up to these risks—it remains to be seen how aggressively Clayton will push for increased disclosure and enforcement. But, as he put it then, “[i]t is obvious which way the wind is blowing.”
•••••••••••••••••••••••••••••
1. Jay Clayton, David Lawrence & Frances Townsend, “We Don’t Need a Crisis to Act Unitedly Against Cyber Threats,” Knowledge@Wharton (June 2015).
2. Senate Committee on Banking, Housing and Urban Affairs Hearing on the Nomination of Jay Clayton to be a Member of the Securities and Exchange Commission, March 23, 2017.
3. See Warner Introduces Legislation to Bolster Cyber- security at Publicly-Traded Companies, Press Release.
4. SEC Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 13, 2011.
5. “Corporate Judgment Call: When to Disclose You’ve Been Hacked,” The Wall Street Journal (Sept. 19, 2016).
6. “SEC Suits Over Cyber Reporting Could Be on Hori- zon,” Law360, April 20, 2017.
7. See Sen. Warner Calls on SEC to Investigate Disclo- sure of Yahoo Breach, Press Release.
8. Id.