SEC Announces the Agenda of Its Cybersecurity Roundtable; Target Corporation Files Form 10-K Bleeding out Disclosures about Its Data Breach

We have previously blogged about March 26 SEC cybersecurity roundtable and the SEC paying close attention to cybersecurity issues, especially on the heels of the cybersecurity breaches faced by Target and other retailers.  On March 19, 2014, the SEC issued a notice about the coming cybersecurity roundtable shedding light on the topics that will be discussed at the roundtable.

The panelists will have a well-rounded discussion of the cybersecurity issues faced by different constituencies, including:

  • exchanges and other key market systems;
  • broker-dealers;
  • investment advisers;
  • transfer agents; and
  • public companies.

Panelists will also be invited to discuss industry and public-private sector coordination efforts relating to assessing and responding to cybersecurity issues.

This roundtable discussion will be very timely.  On March 14, 2014, Target filed its Annual Report on Form 10-K, which reads as Exhibit A to the SEC’s 2011 guidance on cybersecurity disclosures (CF Disclosure Guidance: Topic No. 2, Cybersecurity).  Among other disclosures, the company beefed up the risk factors to talk about its data breach and included a detailed discussion of the ramifications of this breach into its “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” 

Some details of Target’s disclosure are quite interesting.  As a result of the data breach, Target recorded $61 million of pretax data breach-related expenses, some of which may be offset by its network-security insurance coverage.  Such expenses include costs to investigate the data breach, provide credit-monitoring services to its customers, increase staffing in its call centers, and procure legal and other professional services. More than 80 actions have been filed and other claims may be asserted against Target on behalf of its customers, payment card issuing banks, shareholders or others seeking relief in connection with the data breach. In addition, State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the data breach. Probably, one of the most important ramifications is the effect of the data breach on sales as Target believes that the data breach adversely affected its fourth quarter U.S. Segment sales.

SEC Pays Close Attention to Cybersecurity Issues

On February 14, 2014, the SEC announced that it will hold a cybersecurity roundtable on March 26 to discuss the issues and challenges cybersecurity raises for investors and public companies.  The SEC’s roundtable comes on the heels of recent widely publicized security breaches at Target and Neiman Marcus.  As the SEC stated in its press release, “[c]ybersecurity breaches have focused public attention on how public companies disclose cybersecurity threats and incidents.” 

The most recent SEC guidance on cybersecurity disclosures was issued in October 2011 (CF Disclosure Guidance: Topic No. 2, Cybersecurity).  Without creating new obligations, the SEC clarified how its existing rules and regulations provided framework for public company’s disclosure relating to cybersecurity risks and cyber incidents.  After this guidance, cybersecurity related disclosures became mainstream in an annual report on Form 10-K, especially a cybersecurity risk factor.  For example, last year’s Annual Report on Form 10-K of Target Corporation included the following risk factor disclosures:

“… if Target.com and our other guest-facing technology systems do not reliably function as designed, we may experience a loss of guest confidence, data security breaches, lost sales or be exposed to fraudulent purchases, which, if significant, could adversely affect our reputation and results of operations.”

“If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether.”

“We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.”

However, even well drafted risk factors may not be enough to warn investors of ramifications of significant security breaches.  On January 10, 2014, Target issued a press release that included the following information:

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information … was taken during the data breach.  … At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Information on the agenda and participants of the SEC’s March 26 roundtable have not been announced yet.  It will be interesting to see whether recent significant breaches and the coming SEC roundtable will lead to the SEC rulemaking or additional guidance in this area.