Getting hacked is not only expensive in remediation costs and reputational damage. Now public corporations could also face regulatory penalties if they don’t explain the breach the right way and quickly.
US compliance managers, legal counsel and IT managers of public firms need to devise a strategy for who tells whom, what and when about the breach, says the Securities and Exchange Commission. The US regulatory agency has just updated its 2011 guidance on how public firms notify investors about actual and attempted cybersecurity breaches, as well as how to slam the door on potential insider trading before the breach is made public.
The SEC’s guidance comes in the wake of a series of highly publicized delays in data breach disclosures and suspiciously timed trading. Yahoo, for one, waited until 2016 to disclose data breaches in 2013 and 2014. C-level executives at Equifax made undisclosed stock divestitures totaling over US$1.8 million last year before news of its data breach was made public.
Public firms have been singled out by the SEC for disclosure guidance and trading prohibitions. Although the regulatory agency requires registered investment advisers (RIAs) to create cybersecurity programs to prevent data breaches, it has not come up with detailed disclosure guidelines. Neither has the Financial Industry Regulatory Authority for broker-dealers. However, RIAs and broker-dealers are expected to inform clients affected by cybersecurity breaches of the incidents to fulfill their legal obligations to disclose conflicts of interest. Those which are also public must also follow the new SEC guideline.
“The guidance shouldn’t severely impact how firms already behave since they should already be disclosing breaches to the public as soon as they are known and not allowing insiders to trade on non-public information,” says Jeremy Wittkop, chief technology officer for InteliSecure, a Denver-based security data protection firm. “The guidance simply clarifies how companies are expected to behave.”
Still public firms shouldn’t take the SEC’s guidance lightly. Although guidance doesn’t have the force of law, the regulatory agency could now fine a public firm for misleading investors about its cybersecurity practices or a data breach.
Telling investors a breach has occurred is the easy part. Explaining the impact of such a breach will be far harder to do, because the SEC considers cybersecurity breaches to be part of investment risk. Investors have a right to promptly know how severe the financial damage really was and the likelihood a firm might be hacked in the future. Public firms must also take steps to prevent investors from being harmed by C-level executives using insider information to trade in the firm’s shares.
“Compliance managers, legal counsel and crisis management experts will need to work quickly on what they want to tell investors because they can’t wait until they have investigated the cybersecurity breach, written platform code to patch up the hole and quantified the potential losses,” says Spencer Feldman, a partner with in the corporate and securities practice of law firm Olshan Frome Wolosky in New York. “The SEC said notification must be timely after a breach was uncovered.”
Public firms will also have to think twice about keeping information about “minor” breeches confidential. Although the SEC’s guidance allows public firms to limit their disclosures to “material” breaches, the SEC’s definition of that word isn’t always based on generally accepted accounting principles.
“The SEC isn’t defining materiality based on the amount of the financial loss involved in a particular incident, but on whether a reasonable investor would view omitted information about an incident as important in making an investment decision or whether the omitted information would have significantly altered the total mix of information to investors,” says Matthew Rossi, a partner specializing in securities litigation and data privacy with the law firm of Mayer Brown in Washington, D.C. “Security incidents are now considered material, because they can impact the value of a company’s stock.”
Once a data breach is uncovered, says Feldman, a public firm must warn all of its C-level executives and employees from trading in any of the company’s shares without the express consent of its chief compliance officer until investors are notified.
The Right Story
Multiple professionals are likely to be involved in communmications after a breach. Compliance managers should have already drafted the procedures on who is notified and when. while the legal counsel handles the disclosure language. Public relations professionals specializing in crisis management might be recruited to craft the press releases and train C-level executives for breach-related media interviews.
The first disclosure will likely be the filing of a Form 8-K with the SEC, which is used to promptly report current events that may be of interest to investors. Drafting this document and a press release can easily take up to take several days after the breach is discovered even if the full extent of the damage isn’t known. Further information must be disclosed as the investigation of the incident is underway.
The dissemination of information to the public also requires managing the message within the company. Public firms should have documented policy, in advance, of a step-by-step process for IT and cybersecurity managers to notify chief compliance officers, legal counsel, chief executive officers, chief operating officers and boards of directors. C-level executives can’t be kept in the dark for too long.
How much should the public firm disclose to investors? “For the Form 8-K document, disclosing at least the bare minimum of material information is likely the best approach because the extent of the financial loss won’t be known,” says Saleemah Ahamed, a managing principal at Adherence LLC, a New York regulatory compliance firm. What’s the bare minimum? “A data breach has occurred and the firm is doing its best to mitigate the financial loss to its investors and customers,” says Ahamed.”Consumer-based companies could even say they are offering customers credit checks for free.”
What then? The quarterly Form 10-Q and annual Form 10-K reports are next in line to include a more detailed discussion of just what occurred, including specifics on the the financial impact. The dollars-and-cents figure must include expenses for investigations, remediation of the breach, litigation and revenues losses. Of course, the public firm can’t quantify reputational harm, but must include mention of that fact. “Public firms must also explain the possibility that a breach could take place in the future and which assets — data– are at risk of being stolen,” says Rossi.
When it comes to explaining how critical data will be protected from a cybersecurity attack, the SEC is allowing some discretion. “Firms won’t be required to spill the beans about every precautionary step they are taking because that would give hackers too much information,” says Rossi.
What if a public firm has never experienced a cybersecurity breach, or at least is not aware of it? The good news is that the firm won’t be in the hotseat from investors, customers and regulators on how much information to disclose. The bad news is it will still have to devise language to explain the future possibility of a cybersecurity breach and whether they have purchased cybersecurity insurance. The firm must also admit that such insurance may not cover all financial losses to investors.
Although the SEC’s guidance focuses on what to do after a cybersecurity breach has taken place, Wittkop recommends that firms review their entire cybersecurity program before they’re faced with a breach. “They must ensure that they have sufficient incidence report procedures to investigate potential breeches quickly, to confirm or deny them, as well as reporting breaches within the timeframes established by the guidance,” he says.