Five Nutshell Questions about Cybersecurity for the Board of Directors

 

CybersecurityOn April 29, 2016, the Council of Institutional Investors (CII) published its new Special Report, Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards. 

To facilitate effective cybersecurity risk oversight by the board, CII has suggested five questions that a board of directors needs to be able to answer:

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
  2. Has the board evaluated and approved the company’s cybersecurity strategy?
  3. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  4. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  5. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Continue reading “Five Nutshell Questions about Cybersecurity for the Board of Directors”

SEC’s Views on Risk Factor Disclosures

On April 13, 2016, the SEC issued a Concept Release, Business and Financial Disclosure Required by Regulation S-K. In this release, which is part of the SEC’s initiative to review and improve its disclosure requirements, the SEC is seeking comments on whether its “business and financial disclosure requirements continue to elicit important information for investors and how registrants can most effectively present this information.” The Concept Release covers a wide range of topics, however, this blog post focuses on the SEC’s concerns about risk factor disclosures. Item 503(c) of Regulation S-K currently requires “disclosure of the most significant factors that make an investment in a registrant’s securities speculative or risky and specifies that the discussion should be concise and organized logically.”

Except for five specific examples of risk factors suggested by the SEC in Item 503(c) (the company’s lack of operating history, lack of profitable operations in recent periods, financial position, business or proposed business and lack of a market in the company’s securities), risk factor disclosure is principles-based. It is interesting to note that these five factors specified in Item 503(c) have not changed since the SEC published its initial guidance on risk factor disclosure in 1964. Continue reading “SEC’s Views on Risk Factor Disclosures”

Boards Should Put Time and Resources into Cybersecurity Issues – It Is Good for Business and Works as a Defense Strategy

We have previously blogged about Commissioner Aguilar’s recommendations at a NYSE conference, “Cyber Risks and the Boardroom” on what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats. On October 20, 2014, the United States District Court for the District of New Jersey dismissed a derivative lawsuit (Palkon v. Holmes, Case No. 2:14-CV-01234) filed against directors and certain officers, including General Counsel, of Wyndham Worldwide Corporation (WWC). The Court’s opinion can be viewed as a real life validation of the principles outlined in the Commissioner’s speech. Continue reading “Boards Should Put Time and Resources into Cybersecurity Issues – It Is Good for Business and Works as a Defense Strategy”

Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.

SEC Holds Cybersecurity Roundtable

On March 26, 2014, as we have previously blogged, the SEC hosted a cybersecurity roundtable to address the growing “cyber-threat” faced by public companies and other capital markets participants. The roundtable included four panels that discussed the cybersecurity landscape, public company disclosure, as well as market systems and participants (for an overview of the panels, see cybersecuritylawwatch.com).

SEC Chair White noted in her introductory remarks to the roundtable that cyber threats pose non-discriminating risks across our economy to all critical infrastructures, including financial markets, banks, intellectual property, and private consumer data (i.e., no company can be immune to such threats). Chair White also pointed out that the current SEC guidance on this topic (CF Disclosure Guidance: Topic No. 2, Cybersecurity) provides that material information concerning cybersecurity risks and cyber incidents must be disclosed in SEC filings.

SEC Commissioner Aguilar noted that the SEC’s informal disclosure guidance regarding cybersecurity helped investors and public companies to assess cybersecurity issues and questioned whether the SEC should be doing more to ensure the proper functioning of the capital markets and the protection of investors. The Commissioner suggested that the SEC should establish a Cybersecurity Task Force composed of representatives from each SEC division that will discuss these issues and advise the SEC as appropriate.

SEC Announces the Agenda of Its Cybersecurity Roundtable; Target Corporation Files Form 10-K Bleeding out Disclosures about Its Data Breach

We have previously blogged about March 26 SEC cybersecurity roundtable and the SEC paying close attention to cybersecurity issues, especially on the heels of the cybersecurity breaches faced by Target and other retailers.  On March 19, 2014, the SEC issued a notice about the coming cybersecurity roundtable shedding light on the topics that will be discussed at the roundtable.

The panelists will have a well-rounded discussion of the cybersecurity issues faced by different constituencies, including:

  • exchanges and other key market systems;
  • broker-dealers;
  • investment advisers;
  • transfer agents; and
  • public companies.

Panelists will also be invited to discuss industry and public-private sector coordination efforts relating to assessing and responding to cybersecurity issues.

This roundtable discussion will be very timely.  On March 14, 2014, Target filed its Annual Report on Form 10-K, which reads as Exhibit A to the SEC’s 2011 guidance on cybersecurity disclosures (CF Disclosure Guidance: Topic No. 2, Cybersecurity).  Among other disclosures, the company beefed up the risk factors to talk about its data breach and included a detailed discussion of the ramifications of this breach into its “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” 

Some details of Target’s disclosure are quite interesting.  As a result of the data breach, Target recorded $61 million of pretax data breach-related expenses, some of which may be offset by its network-security insurance coverage.  Such expenses include costs to investigate the data breach, provide credit-monitoring services to its customers, increase staffing in its call centers, and procure legal and other professional services. More than 80 actions have been filed and other claims may be asserted against Target on behalf of its customers, payment card issuing banks, shareholders or others seeking relief in connection with the data breach. In addition, State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the data breach. Probably, one of the most important ramifications is the effect of the data breach on sales as Target believes that the data breach adversely affected its fourth quarter U.S. Segment sales.

SEC Pays Close Attention to Cybersecurity Issues

On February 14, 2014, the SEC announced that it will hold a cybersecurity roundtable on March 26 to discuss the issues and challenges cybersecurity raises for investors and public companies.  The SEC’s roundtable comes on the heels of recent widely publicized security breaches at Target and Neiman Marcus.  As the SEC stated in its press release, “[c]ybersecurity breaches have focused public attention on how public companies disclose cybersecurity threats and incidents.” 

The most recent SEC guidance on cybersecurity disclosures was issued in October 2011 (CF Disclosure Guidance: Topic No. 2, Cybersecurity).  Without creating new obligations, the SEC clarified how its existing rules and regulations provided framework for public company’s disclosure relating to cybersecurity risks and cyber incidents.  After this guidance, cybersecurity related disclosures became mainstream in an annual report on Form 10-K, especially a cybersecurity risk factor.  For example, last year’s Annual Report on Form 10-K of Target Corporation included the following risk factor disclosures:

“… if Target.com and our other guest-facing technology systems do not reliably function as designed, we may experience a loss of guest confidence, data security breaches, lost sales or be exposed to fraudulent purchases, which, if significant, could adversely affect our reputation and results of operations.”

“If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether.”

“We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.”

However, even well drafted risk factors may not be enough to warn investors of ramifications of significant security breaches.  On January 10, 2014, Target issued a press release that included the following information:

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information … was taken during the data breach.  … At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Information on the agenda and participants of the SEC’s March 26 roundtable have not been announced yet.  It will be interesting to see whether recent significant breaches and the coming SEC roundtable will lead to the SEC rulemaking or additional guidance in this area.