SEC Requires Greater Disclosure of Cyber Events

Cyber is still a relatively young risk and the various stakeholders in cyber-risk are at times, still trying to determine their particular role.  This includes the officers and/or directors of companies for establishing enterprise policies, the information technology professionals charged with protecting data security and risk managers trying to minimize company exposure.

However, the regulators themselves are also trying to determine their particular place in data security.  For example, this blog has previously discussed the role of the Federal Trade Commission and its prosecution of companies for poor data security policies and practices.

In this regard, public companies may soon be required to file a Securities and Exchange Commission (“SEC”) Form 8-K after experiencing a cybersecurity event. The 8-K form, (which also still contains disclosure requirements for other less technology-driven events like coal mine shutdowns), can now be used to report material cyber events. While the 8-K form itself has not yet been amended to include a disclosure requirement for cyber-events, it is quickly becoming a “best practice” to make such disclosures using the 8-K form. After the late 2013 Target data breach, the company formally disclosed same to the SEC via an 8-K form on February 26, 2014.


In accordance with the SEC “guidelines,” it is recommended that material cyber breaches and even potential cyber-risks be disclosed via the 8-K form. The SEC, however, has not yet issued any formal rules regarding what cyber events require disclosure.  As always, the disclosure obligation turns on whether the cyber event is material.

The SEC applies its traditional definition of materiality to cyber events: “[i]nformation is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”

The 8-K form already requires disclosure of “material impairments” which includes disclosure of impairment to any of the company’s assets including goodwill.  Therefore, breaches of private consumer information, while not necessarily impacting a company’s assets, may in any event require disclosure.  After Target’s data breach, its customer traffic hit its lowest point in the three years prior. Given the SEC guidance and the broad definition of materiality, more and more companies may consider filing 8-K disclosures in connection with data breaches.

In addition to actual breaches, SEC “guidance” indicates disclosure obligations for potential cyber risks.  In April of this year, the SEC Office of Compliance Inspections and Examinations (“OCIE”) issued a sample list of requests for information it may make to public companies including, but not limited to whether the company has a Chief Information Security Officer (“CISO”) or equivalent position, any contingency/ response plans in place in the event of a cyber incident, an inventory of devices interfacing with customer data as well as an inventory of software and applications on the company’s data system or network.  The OCIE may even go so far as to request design drawings of network architecture.

OCIE will also look for whether companies have implemented cybersecurity risk management standards such as those recently recommended by the National Institute of Standards and Technology (“NIST”).  Companies that store private consumer information will face further scrutiny including disclosure of authentication methods.  Not only will OCIE request information regarding the company’s cybersecurity standards, but also those of any third party vendor it may use that has access to the company’s data.

Finally, OCIE will seek information regarding a company’s practice of identifying data breaches that do occur, including information regarding penetration testing of IT systems and networks for weaknesses as well as how actual breaches are detected, tracked and responded to.

It will be interesting to follow the role the SEC asserts in the regulation of data security and how it will interrelate with other regulators, insurers and policyholders themselves.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Traub Lieberman Straus & Shrewsberry LLP | Attorney Advertising

Written by:


Traub Lieberman Straus & Shrewsberry LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.