Cyber is still a relatively young risk and the various stakeholders in cyber-risk are at times, still trying to determine their particular role. This includes the officers and/or directors of companies for establishing enterprise policies, the information technology professionals charged with protecting data security and risk managers trying to minimize company exposure.
However, the regulators themselves are also trying to determine their particular place in data security. For example, this blog has previously discussed the role of the Federal Trade Commission and its prosecution of companies for poor data security policies and practices.
In this regard, public companies may soon be required to file a Securities and Exchange Commission (“SEC”) Form 8-K after experiencing a cybersecurity event. The 8-K form, (which also still contains disclosure requirements for other less technology-driven events like coal mine shutdowns), can now be used to report material cyber events. While the 8-K form itself has not yet been amended to include a disclosure requirement for cyber-events, it is quickly becoming a “best practice” to make such disclosures using the 8-K form. After the late 2013 Target data breach, the company formally disclosed same to the SEC via an 8-K form on February 26, 2014.
In accordance with the SEC “guidelines,” it is recommended that material cyber breaches and even potential cyber-risks be disclosed via the 8-K form. The SEC, however, has not yet issued any formal rules regarding what cyber events require disclosure. As always, the disclosure obligation turns on whether the cyber event is material.
The SEC applies its traditional definition of materiality to cyber events: “[i]nformation is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”
The 8-K form already requires disclosure of “material impairments” which includes disclosure of impairment to any of the company’s assets including goodwill. Therefore, breaches of private consumer information, while not necessarily impacting a company’s assets, may in any event require disclosure. After Target’s data breach, its customer traffic hit its lowest point in the three years prior. Given the SEC guidance and the broad definition of materiality, more and more companies may consider filing 8-K disclosures in connection with data breaches.
In addition to actual breaches, SEC “guidance” indicates disclosure obligations for potential cyber risks. In April of this year, the SEC Office of Compliance Inspections and Examinations (“OCIE”) issued a sample list of requests for information it may make to public companies including, but not limited to whether the company has a Chief Information Security Officer (“CISO”) or equivalent position, any contingency/ response plans in place in the event of a cyber incident, an inventory of devices interfacing with customer data as well as an inventory of software and applications on the company’s data system or network. The OCIE may even go so far as to request design drawings of network architecture.
OCIE will also look for whether companies have implemented cybersecurity risk management standards such as those recently recommended by the National Institute of Standards and Technology (“NIST”). Companies that store private consumer information will face further scrutiny including disclosure of authentication methods. Not only will OCIE request information regarding the company’s cybersecurity standards, but also those of any third party vendor it may use that has access to the company’s data.
Finally, OCIE will seek information regarding a company’s practice of identifying data breaches that do occur, including information regarding penetration testing of IT systems and networks for weaknesses as well as how actual breaches are detected, tracked and responded to.
It will be interesting to follow the role the SEC asserts in the regulation of data security and how it will interrelate with other regulators, insurers and policyholders themselves.