On February 14, 2014, the SEC announced that it will hold a cybersecurity roundtable on March 26 to discuss the issues and challenges cybersecurity raises for investors and public companies. The SEC’s roundtable comes on the heels of recent widely publicized security breaches at Target and Neiman Marcus. As the SEC stated in its press release, “[c]ybersecurity breaches have focused public attention on how public companies disclose cybersecurity threats and incidents.”
The most recent SEC guidance on cybersecurity disclosures was issued in October 2011 (CF Disclosure Guidance: Topic No. 2, Cybersecurity). Without creating new obligations, the SEC clarified how its existing rules and regulations provided framework for public company’s disclosure relating to cybersecurity risks and cyber incidents. After this guidance, cybersecurity related disclosures became mainstream in an annual report on Form 10-K, especially a cybersecurity risk factor. For example, last year’s Annual Report on Form 10-K of Target Corporation included the following risk factor disclosures:
“… if Target.com and our other guest-facing technology systems do not reliably function as designed, we may experience a loss of guest confidence, data security breaches, lost sales or be exposed to fraudulent purchases, which, if significant, could adversely affect our reputation and results of operations.”
“If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether.”
“We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.”
However, even well drafted risk factors may not be enough to warn investors of ramifications of significant security breaches. On January 10, 2014, Target issued a press release that included the following information:
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information … was taken during the data breach. … At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”
Information on the agenda and participants of the SEC’s March 26 roundtable have not been announced yet. It will be interesting to see whether recent significant breaches and the coming SEC roundtable will lead to the SEC rulemaking or additional guidance in this area.