Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.

Is the Disclosure Pendulum Swinging Back?

At the beginning of this year, I blogged about the SEC Staff Report on Public Company Disclosure issued on December 20, 2013, which has an ambitious goal of modernizing and simplifying the disclosure that public companies are obligated to provide, but it was unclear how soon the SEC will start moving forward with this initiative.

On April 11, 2014, when Keith F. Higgins, Director of the SEC Division of Corporation Finance, delivered his speech on disclosure effectiveness before the ABA Business Law Section Spring Meeting, it has become clear that the SEC is going to take a close look at existing disclosure requirements soon. Mr. Higgins said that Chair White had asked the Division to “lead the effort to develop specific recommendations for updating the disclosure requirements.” However, Mr. Higgins was also very clear that “reducing the volume of disclosures” is not going to be the “sole end game” of this project. If the SEC identifies “potential gaps in disclosure or opportunities to increase the transparency of information,” it may “recommend new disclosure requirements.”

Mr. Higgins provided a roadmap of the disclosure project that is being undertaken by his Division. It will start with the Division’s review of Regulation S-K requirements related to (i) business and financial disclosures that flow into Forms 10-K, 10-Q and 8-K and transactional filings, (ii) industry guides and form-specific disclosures, and (iii) scaling of disclosure provided by smaller reporting companies and emerging growth companies. The Division will also look at Regulation S-X requirements related to acquired businesses and guarantors, differences in the disclosure requirements under the Securities Act of 1933 and Securities Exchange Act of 1934 as well as the overlap between the GAAP requirements in the footnotes to the financial statements and the SEC requirements. The Division will also explore whether the focus and navigability of disclosure documents can be improved by using structured data or hyperlinks.

While it will obviously take some time to review the areas described above and implement changes through the rulemaking process, Mr. Higgins included in his speech a “Call to Action” for public companies to improve their disclosure now. He posed a few fresh questions for the audience:

“Before you repeat anything in a filing, please step back and ask yourself — do I need to say it again?”

If a company includes new disclosure because a client alert says that it is a “hot button” issue for the Staff, “the first question should be ‘does this issue apply to the company?’”

The point that Mr. Higgins was making was that public companies should:

  • reduce repetition in an SEC filing (for ex., by using cross-references);
  • focus their disclosure on matters that actually apply to the company as opposed to including disclosure only because other public companies have done so or a client alert recommended it; and
  • eliminate outdated or immaterial information from the filings, even if such information is “sacred” because it was included in response to prior SEC comments.

Recent Panel Discussion of Enhancing the Audit Committee Report: A Call to Action

On April 22, 2014, the John L. Weinberg Center for Corporate Governance and the Center for Audit Quality, hosted a panel discussion of a recent report, Enhancing the Audit Committee Report: A Call to Action (Call to Action). The report was issued last November by the Audit Committee Collaboration, a group of organizations, including, among others, National Association of Corporate Directors, Association of Audit Committee Members, Inc., The Directors’ Council, and Center for Audit Quality. The Call to Action encourages all public company audit committees to “voluntarily and proactively improve their public disclosures to more effectively convey … the critical aspects of the important work that they currently perform.”

Generally, the only public company disclosures that an audit committee is required to make consist of (i) an audit committee report under Item 407(d)(3) of Regulation S-K, which is included in the proxy statement, and (ii) a copy of the audit committee’s charter mandated by the stock exchange on which the company’s stock is listed. The committee’s charter is usually posted on the company’s website (or it may be included as an appendix to the company’s proxy statement). Item 407 requires that only information about the audit committee’s discussions with management and independent auditors, the committee’s recommendation to the board that the audited financial statements be included in the company’s annual report on Form 10-K, and the name of each member of the audit committee.

Based on its review of 2013 proxy statements, the Call to Action provides examples of audit committee reports that expanded the limited required disclosure by clarifying the scope of the audit committee’s duties, clearly defining the audit committee’s composition and providing relevant information about: 

  • factors considered when selecting or reappointing an audit firm
  • selection of the lead audit engagement partner
  • factors considered when determining auditor compensation
  • how the committee oversees the external auditor
  • the evaluation of the external auditor

Panelists’ views ranged from encouraging audit committees to take a fresh look at their audit committee reports and add some of the foregoing suggested disclosures to make the reports more transparent to concerns about disclosure overload and potential lawsuits.

SEC Holds Cybersecurity Roundtable

On March 26, 2014, as we have previously blogged, the SEC hosted a cybersecurity roundtable to address the growing “cyber-threat” faced by public companies and other capital markets participants. The roundtable included four panels that discussed the cybersecurity landscape, public company disclosure, as well as market systems and participants (for an overview of the panels, see cybersecuritylawwatch.com).

SEC Chair White noted in her introductory remarks to the roundtable that cyber threats pose non-discriminating risks across our economy to all critical infrastructures, including financial markets, banks, intellectual property, and private consumer data (i.e., no company can be immune to such threats). Chair White also pointed out that the current SEC guidance on this topic (CF Disclosure Guidance: Topic No. 2, Cybersecurity) provides that material information concerning cybersecurity risks and cyber incidents must be disclosed in SEC filings.

SEC Commissioner Aguilar noted that the SEC’s informal disclosure guidance regarding cybersecurity helped investors and public companies to assess cybersecurity issues and questioned whether the SEC should be doing more to ensure the proper functioning of the capital markets and the protection of investors. The Commissioner suggested that the SEC should establish a Cybersecurity Task Force composed of representatives from each SEC division that will discuss these issues and advise the SEC as appropriate.

SEC Announces the Agenda of Its Cybersecurity Roundtable; Target Corporation Files Form 10-K Bleeding out Disclosures about Its Data Breach

We have previously blogged about March 26 SEC cybersecurity roundtable and the SEC paying close attention to cybersecurity issues, especially on the heels of the cybersecurity breaches faced by Target and other retailers.  On March 19, 2014, the SEC issued a notice about the coming cybersecurity roundtable shedding light on the topics that will be discussed at the roundtable.

The panelists will have a well-rounded discussion of the cybersecurity issues faced by different constituencies, including:

  • exchanges and other key market systems;
  • broker-dealers;
  • investment advisers;
  • transfer agents; and
  • public companies.

Panelists will also be invited to discuss industry and public-private sector coordination efforts relating to assessing and responding to cybersecurity issues.

This roundtable discussion will be very timely.  On March 14, 2014, Target filed its Annual Report on Form 10-K, which reads as Exhibit A to the SEC’s 2011 guidance on cybersecurity disclosures (CF Disclosure Guidance: Topic No. 2, Cybersecurity).  Among other disclosures, the company beefed up the risk factors to talk about its data breach and included a detailed discussion of the ramifications of this breach into its “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” 

Some details of Target’s disclosure are quite interesting.  As a result of the data breach, Target recorded $61 million of pretax data breach-related expenses, some of which may be offset by its network-security insurance coverage.  Such expenses include costs to investigate the data breach, provide credit-monitoring services to its customers, increase staffing in its call centers, and procure legal and other professional services. More than 80 actions have been filed and other claims may be asserted against Target on behalf of its customers, payment card issuing banks, shareholders or others seeking relief in connection with the data breach. In addition, State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the data breach. Probably, one of the most important ramifications is the effect of the data breach on sales as Target believes that the data breach adversely affected its fourth quarter U.S. Segment sales.

SEC Pays Close Attention to Cybersecurity Issues

On February 14, 2014, the SEC announced that it will hold a cybersecurity roundtable on March 26 to discuss the issues and challenges cybersecurity raises for investors and public companies.  The SEC’s roundtable comes on the heels of recent widely publicized security breaches at Target and Neiman Marcus.  As the SEC stated in its press release, “[c]ybersecurity breaches have focused public attention on how public companies disclose cybersecurity threats and incidents.” 

The most recent SEC guidance on cybersecurity disclosures was issued in October 2011 (CF Disclosure Guidance: Topic No. 2, Cybersecurity).  Without creating new obligations, the SEC clarified how its existing rules and regulations provided framework for public company’s disclosure relating to cybersecurity risks and cyber incidents.  After this guidance, cybersecurity related disclosures became mainstream in an annual report on Form 10-K, especially a cybersecurity risk factor.  For example, last year’s Annual Report on Form 10-K of Target Corporation included the following risk factor disclosures:

“… if Target.com and our other guest-facing technology systems do not reliably function as designed, we may experience a loss of guest confidence, data security breaches, lost sales or be exposed to fraudulent purchases, which, if significant, could adversely affect our reputation and results of operations.”

“If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether.”

“We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.”

However, even well drafted risk factors may not be enough to warn investors of ramifications of significant security breaches.  On January 10, 2014, Target issued a press release that included the following information:

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information … was taken during the data breach.  … At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Information on the agenda and participants of the SEC’s March 26 roundtable have not been announced yet.  It will be interesting to see whether recent significant breaches and the coming SEC roundtable will lead to the SEC rulemaking or additional guidance in this area.

Snowed In…

As I sit at home working remotely (AGAIN!) due to the latest snowstorm, I am struck by the thought of how paralyzing this winter has been.  Similar to Hurricane Sandy in 2012, this snowy and icy winter is likely to have a material affect on many public companies.    

Companies should consider whether additional disclosure should be added to their earnings releases or periodic filings regarding the potential effects of this winter season.  In particular, companies should consider whether to include disclosure related to this winter season in the following areas:

  • Forward-looking statements –  references to the winter season as one of the risks and uncertainties which could cause actual results to differ materially from those projected;
  • Risk Factors–  risk factor related to the potential impact of this winter season on their results of operations and financial position;
  • MD&A –   disclosure about the effects of this winter season if the report is filed after the winter season affected the company and/or as a known trend, event or uncertainty;
  • Guidance – companies should consider whether guidance given in the past or currently being issued may be affected by the winter season.  Companies should consider whether it is necessary to point out that such guidance did or does not take into account the effects of this winer season or estimates the effects of this winter season.

 Hopefully this winter madness will end soon and we can all get back to our routines as usual.  Stay safe and warm.

2014 Winter Olympics and Full Disclosure

The media coverage leading up to the 2014 Winter Olympics looked like full disclosure of risk factors in an SEC filing, ranging from risks of terrorist attacks to the lack of shower curtains in hotels in Sochi.  Some things never change, and 2014 Winter Olympic Games in Sochi are almost as politically charged as 1980 Summer Olympic Games in Moscow.  However, the opening ceremony in Sochi offered a different kind of full disclosure – full disclosure of Russia’s rich history and its fascination with the arts.  Sochi showcased Russia’s musical, literary, and dance traditions that all came together as pieces of one beautiful puzzle in the opening ceremony.  Although it will still take a lot of work to turn Sochi, a Soviet-era summer resort, into a first class venue, the 2014 Olympic Games are the first step in this direction, with the opening ceremony reminding us that sport and arts transcend politics.

To Unbundle or Not to Unbundle Multiple Amendments? There Is Still No Clear Answer to This Question.

On January 24, 2014, the SEC issued three unbundling Compliance and Disclosure Interpretations (C&DIs), in an apparent response to the decision of the U.S. District Court of the Southern District of New York in Greenlight v. Apple and in time for the 2014 proxy season.  The SEC concept of “unbundling” refers to separating matters submitted to a vote of shareholders into separate proposals, under Rules 14a-4(a)(3) and (b)(1)[1], under the Securities Exchange Act of 1934 so that shareholders could express their views on each separate matter.

With virtually no attention being paid to “unbundling” since September 2004 when the SEC issued an Interim Supplement to the Publicly Available Telephone Interpretations providing “unbundling” guidance in the context of mergers and acquisitions, “unbundling” was brought to light again in 2013, when the Court enjoined Apple, Inc. from accepting proxy votes in connection with a proposal to amend its articles of incorporation to (i) eliminate certain language in order to facilitate the adoption of majority voting for the election of directors, (ii) eliminate “blank check” preferred stock, (iii) establish a par value for Apple’s common stock of $0.00001 per share and (iv) make other conforming changes (Greenlight v. Apple, Feb. 22, 2013).  Greenlight Capital, L.P. sued Apple alleging that such proposal violated SEC “unbundling” Rules 14a-4(a)(3) and (b)(1). 

New C&DIs issued on January 24 provide examples and guidance as to whether companies should be unbundling multiple amendments into separate proposals.  Set forth below is a summary of such guidance, which makes it clear that there is no bright-line test and the unbundling decision is subject to the company’s facts and circumstances analysis. 

Charter Amendments Changing Terms of Preferred Stock

Fact Pattern. If management negotiated concessions from holders of a series of its preferred stock to reduce the dividend rate on the preferred stock in exchange for an extension of the maturity date, can management submit a single proposal to holders of the company’s common stock to approve a charter amendment containing both modifications: one relating to the reduction of the dividend rate and another relating to the extension of the maturity date?

Guidance. Yes, these multiple amendments effectively constitute a single matter and need not be unbundled because they are “inextricably intertwined.” Each of the proposed amendments relates to a basic financial term of the same series of capital stock and was the sole consideration for the countervailing amendment.  However, the staff would not view two arguably separate matters as being inextricably intertwined merely because the matters were negotiated as part of a transaction with a third party, nor because the matters represent terms of a contract that a party considers essential to the overall bargain.

Charter Amendments Changing Common Stock’s Par Value, Eliminating Provisions for Preferred Stock and Declassifying the Board

Fact Pattern.  Can management submit for shareholder approval amendments to the company’s amended and restated charter that would (i) change the par value of the common stock; (ii) eliminate provisions relating to a series of preferred stock that is no longer outstanding and is not subject to further issuance; and (iii) declassify the board of directors as one proposal?.  

Guidance.  Yes, the staff would not ordinarily object to the bundling of any number of immaterial matters with a single material matter. While, there is no bright-line test for determining materiality in the context of Rule 14a‑4(a)(3), companies should generally consider whether a given matter substantively affects shareholder rights. While the declassification amendment would be material under this analysis, the amendments relating to par value and preferred stock do not substantively affect shareholder rights, and therefore both of these amendments ordinarily could be included in a single restatement proposal together with the declassification amendment. However, if management knows or has reason to believe that a particular amendment that does not substantively affect shareholder rights nevertheless is one on which shareholders could reasonably be expected to wish to express a view separate from their views on the other amendments that are part of the restatement, the amendment should be unbundled. 

The analysis under Rule 14a-4(a)(3) is not governed by the fact that, for state law purposes, amendments could be presented to shareholders as a single restatement proposal. If, for example, the restatement proposal also included an amendment to the charter to add a provision allowing shareholders representing 40% of the outstanding shares to call a special meeting, the staff would view the special meeting amendment as material and therefore required to be presented to shareholders separately from the similarly material declassification amendment.

Amendments to Equity Incentive Plan

Fact Pattern. Can management present for a vote of shareholders a single proposal covering an omnibus amendment to the company’s equity incentive plan that (i) increases the total number of shares reserved for issuance under the plan; (ii) increases the maximum amount of compensation payable to an employee during a specified period for purposes of meeting the requirements for qualified performance-based compensation under Section 162(m) of the Internal Revenue Code; (iii) adds restricted stock to the types of awards that can be granted under the plan; and (iv) extends the term of the plan?  

Guidance. Yes, these proposed changes need not be unbundled into separate proposals pursuant to Rule 14a‑4(a)(3). While the Staff generally will object to the bundling of multiple, material matters into a single proposal – provided that the individual matters would require shareholder approval under state law, the rules of a national securities exchange, or the registrant’s organizational documents if presented on a standalone basis – the staff will not object to the presentation of multiple changes to an equity incentive plan in a single proposal.  This is the case even if the changes can be characterized as material in the context of the plan, and the rules of a national securities exchange would require shareholder approval of each of the changes if presented on a standalone basis.

 


[1] Rule 14a-4(a)(3) requires that the form of proxy must “identify clearly and impartially each separate matter intended to be acted upon, whether or not related to or conditioned on the approval of other matters,” and Rule 14a-4(b)(1) provides that, subject to certain exceptions, the form of proxy must include separate boxes for shareholders to choose between approval, disapproval of or abstention “with respect to each separate matter referred to [in the form of proxy] as intended to be acted upon…”