In 2011, the SEC staff issued disclosure guidance regarding cybersecurity risks and incidents, which was met with a yawn at most public companies. Certainly companies in the financial services and technology industries and those with significant data security exposure have been more attentive, but the vast majority of companies reacted by simply adding a boilerplate risk factor to their Form 10-K without much additional thought.
The SEC’s recent cybersecurity roundtable attempted to raise the heat on this issue. In her opening remarks on March 26th, SEC Chair Mary Jo White opined that cyber threats are “of extraordinary and long-term seriousness.” To underscore her point, she noted also that cyber threats have surpassed terrorism on the Office of Intelligence’s list of global threats and that the FBI soon expects to devote more resources to cyber threats than to terrorism.
The SEC and other agencies have been working closely with key capital market infrastructure participants to mitigate risk, ensure market continuity and develop disaster recovery plans. Far less attention has been given to these issues among the more general public company population.
Cyber events can be as aggressive as an all out external attack or as passive as an internal failure to follow established security procedures, and everything in-between. For most companies, pertinent questions should include:
- Have we identified the risks applicable to our business?
- Have we assessed their probability and potential magnitude?
- Do we have adequate procedures in place to mitigate those risks to a level consistent with our articulated risk appetite?
- Do we have appropriate crisis management and recovery procedures in place?
- Have we properly disclosed the above?
The first four bullets fall squarely into the realm of enterprise risk management and oversight. Hopefully, you have an effective ERM program in place to capture that information and implement those procedures. (See Risky Business: Effective Compliance Programs.) The fifth bullet relates to the degree of transparency in your SEC filings.
Due to the current proliferation of technology and electronic connectivity among various aspects of nearly every company’s business, cybersecurity risks continue to grow exponentially. However, the disclosure related to those risks seems stuck at the 2011 guidance (or pre-2011) levels. It is important to realize that cybersecurity breaches can impact even non-financial and non-technology companies in a variety of significant ways, including for example:
- Business disruption/lost revenue
- Reputational damage
- Employee concerns
- Regulatory investigations and sanctions
- Litigation exposure
- Remediation and increased protection costs
- Lower stock price
Consider whether your existing disclosure fully captures these risks, focusing particularly on the following:
- Have you described all aspects of your business that generate cybersecurity risk?
- Is your risk disclosure specific to cybersecurity, rather than simply rolled into a litany of more general disaster risks?
- Are the potential costs of a cyber event explained?
- Are any key operations outsourced? If so, are there risks related to outsourcing? How are those risks being managed?
- Has a cyber event occurred or been threatened? How was it resolved? Was it, or might it become, material?
- Have any of the company’s business partners experienced cyber events that have or might impact the company’s operations directly or indirectly?
- Are your cybersecurity risks insured? To what extent? (See this Doug’s Note.)
These and other disclosures might appear in your business description, MD&A (for example, material trends or uncertainties), risk factors, legal proceedings, financial statement notes or disclosure controls and procedures assessment. It could be useful to take a fresh look.