It seems that some of the nation’s largest public company banks must be avid readers of this blog and have taken to heart our 2013 prediction that the SEC would require greater disclosure related to data security risks and breaches. In their recent annual reports, Goldman Sachs Group Inc., Citigroup, Inc., Bank of America Corp. and many other large banks provided increased disclosure relating to their vulnerability to cybersecurity attacks.
In its Form 10-K, Goldman Sachs cautioned:
“We are regularly the target of attempted cyber attacks, including denial-of-service attacks, and must continuously monitor and develop our systems to protect our technology infrastructure and data from misappropriation or corruption. Although we take protective measures and endeavor to modify them as circumstances warrant, our computer systems, software and networks may be vulnerable to unauthorized access, misuse, computer viruses or other malicious code and other events that could have a security impact.”
Goldman Sachs went on to discuss how the increased use of mobile technologies has further heightened these cybersecurity risks, and the steps they have taken and plan to take to minimize these risks.
Not wanting to be outdone, Bank of America and Citigroup disclosed in their Form 10-Ks specific instances of how each has been subject to denial-of-service and other cybersecurity incidents. Although both banks denied that these incidents have had a material impact on or were significant to their operations, they acknowledged that such incidents may continue to occur.
Public companies are finally beginning to shy away from sweeping their cybersecurity secrets under the mouse pad and have started providing investors with honest and clear disclosure about the cybersecurity risks they face and the cybersecurity incidents they have experienced. Although increased disclosure by public companies is important, public companies should also ensure that they are accurately disclosing their cybersecurity risks and related efforts to prevent data breaches or other incidents. Not only is the SEC likely to scrutinize public companies that completely fail to disclose their cybersecurity risks and incidents, but the SEC is also likely to pursue those public companies that mischaracterize their preventative measures or downplay the severity of their cybersecurity risks and data breach incidents.
Practice Tip: As a public company, you should take measures to confirm that your public disclosure accurately reflects the reality with regard to your preventative measures, cybersecurity risks and prior incidents. Otherwise, you run the risk of disclosing just enough for the SEC to dig deeper into your cybersecurity disclosure and bring to light inconsistencies between what your disclosure and your actions. For information regarding year-end reporting, including cybersecurity disclosure issues, see our Mintz Client Alert here.
The increased disclosure in this annual reporting season is likely only the beginning, and we are seeing the largest public company banks leading the charge on the coattails of Facebook, Inc. and Google, Inc. Look for more public companies outside of the internet and financial services industry to follow suit in the next round of annual public filings.