It seems scarcely a week goes by without a headline blaring news of a major cybersecurity breach. And with ongoing revelations about the data-tracking activities of the National Security Agency, the public isn’t growing less concerned about privacy. So it’s no surprise Congress has pressed the Securities and Exchange Commission on cybersecurity.
What does that mean for corporate disclosures? “The SEC continues to hear from Congress on cybersecurity disclosures, so it will continue to focus on the issue,” says David Lynn, a partner in Morrison & Foerster’s Washington office and co-chair of its Corporate Finance Practice. “That means companies need to be vigilant about their disclosures.”
The SEC last issued guidance on cybersecurity disclosures in 2011. Since then it has issued several dozen comment letters to companies that experienced a cybersecurity issue and failed to disclose it entirely to the SEC’s liking. Even if the agency doesn’t revisit its current guidance on cybersecurity disclosures, “[SEC Chair] Mary Jo White has told Congress the issue is important to the SEC,” says Tony Rodriguez, a partner in Morrison & Foerster’s San Francisco office whose experience includes representations in SEC matters.
The continuing SEC scrutiny also raises concerns about potential litigation. “While we haven’t necessarily seen an increase in cybersecurity cases, if a company is called out by a regulator on their disclosures, it could encourage plaintiffs to take legal action,” Rodriguez observes.
What should companies do? Besides taking appropriate steps to protect data from cyberattacks and remediate breaches that do occur, make sure you have a robust process in place to communicate potential problems to corporate leaders. “Executives responsible for disclosures need to become aware of cybersecurity issues promptly so they can make appropriate disclosure decisions,” Lynn advises.
Finally, approach disclosures in a thoughtful way and let the facts speak for themselves. Describe cybersecurity issues in an accurate, complete manner so as to minimize the possibility for SEC comments and potential litigation.
“Just because the last SEC guidance was issued in 2011 doesn’t mean the issue has gone away,” Lynn concludes. “Cybersecurity breaches will continue to happen to organizations across the board. So be vigilant about your disclosures.”