We viewed this guidance as a true game changer and initiated a series of studies of these disclosures. The first, released today, focuses on the Fortune 500’s reported exposures. The first question we asked was how companies rated the significance of their cyber exposures in their reports to the SEC.
Most Companies Reported Their Exposures
The SEC emphasized that its disclosure guidance is “not a rule, regulation, or statement of the Securities and Exchange Commission.” But, as it came from the department within the SEC that approves one’s financial statements (the Division of Corporation Finance), most companies chose to comply with the guidance: Only 13% of companies in our Study remained silent on their cyber exposures.
85% Say Cyber Exposures Could Adversely Affect Them
With no firm providing a dollar magnitude of its cyber risks, it is notable that 85% of the Fortune 500 in our study indicated that their cyber exposures could impact their business—from adversely to critically.
Of this, 10% disclosed that they could either be significantly or critically impacted by a hack. (It may be important to note that companies were not required to estimate the likelihood of such an event occurring. Rather they were to consider that it something were to happen, how might it manifest and how costly might it be.)
SEC: What to Consider
The SEC’s guidance suggested companies disclose factors particular to their business or their type of business—rather than generic risks that could apply to any business. When looking to measure the impact of potential hacks, the SEC advised companies to consider all of the following:
- Remediation costs, including liability for stolen assets or information and repairing system damage that may have been caused. (Also included might be incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack.)
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack.
- Diminution in future cash flows, resulting in the possible impairment of assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.
- Increased cybersecurity protection costs post-breach that might include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants.
- Reputational damage adversely affecting customer or investor confidence as well as the cost of providing customers with incentives to maintain the business relationship, post hack.
- Litigation and losses from claims, including those arising from warranties, breach of contract, product recall and replacement, and indemnification of counter-party losses from their remediation efforts.
- If a cyber incident could materially impact a new product under development, the firm should disclose the potential impact, to the extent material.
It’s likely that, prior to the SEC’s guidance, many firms may not have measured their potential exposure as extensively as set out in the new disclosure guidance. For example, while many companies are likely to have looked at credit card and other forms of personally identifiable information being compromised, some may not have considered the implications if their intellectual capital were to be hacked. Many may not have previously considered the impact on their business arising from third parties’ cyber events.
It may be quite hard to get it just right, especially the first time the new cyber disclosures are made. Companies may need to avail themselves of periodic filings (like 10-Q’s and 8-k’s) as more information comes to light.
The SEC Insists
What can happen if companies fail to disclose or improperly disclose their cyber exposures? The first stop might be to receive a comment letter from the SEC—as happened to approximately 50 public companies on their cyber security disclosures to date.
- Disclose Specific Cybersecurity Breaches: The SEC has requested that firms disclose or clarify whether data breaches have actually occurred and how the company has responded to such breaches.
- Cybersecurity Risks Should Stand Alone: The SEC has commented that cyber security risks should be broken out separately and stand alone because of the distinct differences between the risk of cybersecurity attacks and other types of disasters or attacks, such as terrorist attacks or natural disasters.
- All Material Breaches Should Be Disclosed: In some instances, a public company has had a cybersecurity attack, but has failed to disclose such attack in its public filings. The SEC has requested additional information on why the public company doesn’t believe the attack is sufficiently material to warrant disclosure, and if the attack is material, then they have requested that the company include the relevant disclosure in its public filings.
In addition to these three main areas, the SEC has expressed interest in greater disclosure as to the source of cyber attacks, (whether the attack is from a competitor, a foreign government or a hacker group, for example). The Commission is also interested in instances in which the company was initially unaware of a data breach, until a third party brought it to the firm’s attention.
Ramifications for Public and Private Firms
With the new guidance in effect, public firms that get it wrong may have a greater exposure to securities litigation. While non-filers, private firms are likely to find stakeholders requesting like disclosures (and comparing their answers to public-company peers). Stumbles by non-registrants may therefore likewise result in claims.
Just a year in to the new guidance, there are requests that the SEC request or require more in the way of cyber disclosure from U.S. public companies.
In part two, I’ll share what we learned about how these risks are likely to manifest themselves.