SEC Cybersecurity Disclosure Guidelines
-
Upload
resilient-systems -
Category
Business
-
view
755 -
download
4
Transcript of SEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity
Disclosure Guidance:
Risks and Strategies
Page 2
Introductions: Today’s Speakers
• Rick Olin, CIPP/US; Counsel, GTC Law Group
• Gant Redmon, CIPP/US; General Counsel, Co3
Systems
Page 3
Agenda
• Introductions
• Basis of SEC Cybersecurity Disclosure Guidance
• Current SEC Disclosure Guidance
• What Companies Are Doing
• Potential Changes to Disclosure Guidance
• Proactive Steps to Consider
• Other Considerations
• Final Thoughts/Recommendations
• Q&A
Page 4
Co3 Automates Incident Response
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion
Page 5
About GTC
• GTC Law Group specializes in IP Strategy, Mergers &
Acquisitions, and Business & Technology Transactions for
IP-centric companies and institutions worldwide.
• Founded in 2002 in response to overwhelming client
demand for a strategic approach to IP counseling and
transactions.
• Broad range of clients, including Fortune 500 enterprises,
technology start-ups, venture capital firms, entrepreneurs,
and industry consortia across the spectrum of IP-intensive
sectors, including software, hardware, life sciences, financial
services, Internet, media & entertainment and energy
• Strategic partners for Data Privacy and Security.
Page 6
Basis of SEC Cybersecurity Disclosure Guidance
• U.S. Securities Laws: High Value Placed on Transparency
• Goal is level playing field: equal access to information that might affect an
investment decision
• Prohibits trading on “material non-public” information
• Historically, SEC required disclosure of any information that would have a material
effect on a company’s performance
• Materiality is determined in light of the “total mix” of information available
• defined as any information that a reasonable investor would find important in
deciding whether to purchase or sell a security
• SEC Guidance on Cybersecurity
• Released in October 2011 by Division of Corporate Finance
• “This guidance is not a rule, regulation, or statement of the Securities and
Exchange Commission. Further, the Commission has neither approved nor
disapproved its content.”
• Even though “advisory”in nature, registrants/reporting companies, prudent
to consider enhanced disclosure
• Provide clearer guidance of “material risks”
Page 7
Basis of SEC Cybersecurity Disclosure Guidance
Cyber Incident Could Affect Company Stock Performance
• Damage to company’s brand
• Risk of class-action securities litigation
• Private causes of action
• Even if no harm to operations, may lower confidence in company
• Remediation costs and lost revenue
• SEC Enforcement
• Bottom Line: potential adverse impact on company stock price
Page 8
Basis of SEC Cybersecurity Disclosure Guidance
• Objectives and effects of cyber attacks: Cyber attacks are most
commonly targeted at one of three objectives:
• Stealing Proprietary Business Information – trade secrets,
data, and other business information.
• Financial Information and Identity Theft – often seek to
acquire credit card numbers, SSNs and bank account
information.
• Harming a Competitor – some intended to disable or disrupt a
competitor’s operations.
Page 9
Current SEC Disclosure Guidance
Operative Definitions
• “Cybersecurity ” - SEC Guidance uses definition of “Cybersecurity”: the body of
technologies, processes and practices designed to protect networks, systems, computers,
programs and data from attack, damage or unauthorized access; and notes that a “cyber
incident can result from deliberate attacks or unintentional events.”
• “Cyber incident” -
• two major categories: (a) unauthorized access and (b) disruption of functionality:
• Unauthorized access - an incident in which a party not authorized to access a
digital system gains access to proprietary or other sensitive information; may
be as a result of deliberate acts or unintentional events.
• Disruption of functionality attacks, also known as “denial of service” attacks; involve efforts to limit the functionality of data processing, storage, and
transmission systems, such as web sites, through which orders are processed;
generally involve programs that send high volumes of repeated queries to
targeted sites.
Page 10
• General Disclosure Tenets
• Fact-specific Inquiry – The disclosure requirements related to cyber incidents
should reflect the reporting company’s specific facts and circumstances, as well as
the existing securities laws. As to the latter, as with any reporting disclosure:
• Timeliness/Accuracy – Disclosure must be timely, comprehensive, and
accurate about risks and events that a reasonable investor would consider
important to an investment decision.
• Context – Material information regarding cybersecurity risks and cyber
incidents is required to be disclosed when necessary in order to make
other required disclosures, in light of the circumstances under which they
are made, not misleading.
• Ongoing Review – As with other operational and financial risks,
registrants should review, on an ongoing basis, the adequacy of their
disclosure relating to cybersecurity risks and cyber incidents.
Current SEC Disclosure Guidance
Page 11
Current SEC Disclosure Guidance
General Disclosure Tenets (continued)
• Factors to Consider – In determining disclosure obligations:
• Relative Significance
• Whether a security incident may be “among the most significant
factors that make an investment in the company speculative or
risky”.
• Factors particular to a business or the type of business, rather than risks
that could apply to any business
• Incident Impact and History – When conducting this evaluation of its
cybersecurity “risk profile”, a reporting company must examine risks of such an
incident, prior cyber incidents and the severity and frequency of such
incidents.
• Likelihood of Future Incidents – A registrant should also analyze the
likelihood of additional incidents occurring in the future, and the impact of such
incidents on the company.
NOTE: A company need not disclose risks that are generic in nature or details
that would likely compromise its cybersecurity efforts.
Page 12
Current SEC Disclosure Guidance
Specific Disclosure Requirements – There are a number of specific disclosure
requirements under existing regulations that “may require a discussion of cybersecurity risks
and cyber incidents” in (i) Registration Statements, (ii) Periodic Reports and (iii) Material
Event Reports:
• Risk Factors
• Management’s Discussion and Analysis
• Legal Proceedings
• Description of Business
• Financial Statement Disclosures
• Other Disclosures
Page 13
Current SEC Disclosure Guidance
Specific Disclosure Requirements (continued)
• Risk Factors – following evaluation of company’s overall cybersecurity “risk profile,”
and consistent with the Regulation S-K Item 503(c) requirements for risk factor
disclosures, generally, “cybersecurity risk disclosure provided must adequately
describe the nature of the material risks and specify how each risk affects the
registrant.” To the extent material, appropriate disclosures may include: discussion
of aspects of operations that give risk to material risks; outsourced security
functions; past cybersecurity incidents and costs of remediating those incidents;
risks of undetected cybersecurity incidents, and relevant insurance coverage that
might cover such an incident.
• Management’s Discussion and Analysis – should address cybersecurity risks and
incidents in MD&A “if the costs or other consequences associated with one or more
known incidents or the risks of potential incidents represent a material event, trend
or uncertainty that is reasonably likely to have a material effect” on the company’s
financial position. For example, if critical intellectual property is stolen, a company
will want to evaluate the materiality of the theft and whether to disclose that the
information was stolen and the potential effect on the company’s financial condition.
Page 14
Current SEC Disclosure Guidance
Specific Disclosure Requirements (continued)
• Legal Proceedings – Legal proceedings involving a cyber incident may need to be
disclosed and would include the name of the court, the date the suit was instituted,
principal parties, description of the allegations and the damages sought.
• Description of Business – In determining whether to include disclosure regarding
cybersecurity incidents in this section of its filings, registrants “should consider the
impact on each of their reportable segments. As an example, if a registrant has a new
product in development and learns of a cyber incident that could materially impair its
future viability, the registrant should discuss the incident and the potential impact to the
extent material.”
• Financial Statement Disclosures – Cybersecurity risks and cyber incidents may have
a broad impact on a registrant’s financial statements, depending on the nature and
severity of the potential or actual incident.
Page 15
Current SEC Disclosure Guidance
Specific Disclosure Requirements (continued)
• Other Disclosures – In addition to the foregoing specific areas to be considered, the SEC guidance
requires consideration of:
• Prevention Costs – the substantial costs that may be incurred to prevent cyber incidents,
and the accounting for the capitalization of these costs to the extent that such costs are
related to internal use software;
• ASC 605-50 – Customer Payments and Incentives, to ensure appropriate recognition,
measurement, and classification of any incentives provided to customers by the company
in its efforts to mitigate damages from a cyber incident.
• ASC 450-20 – Loss Contingencies, to determine when to recognize a liability if losses
(such as losses related to claims based on breach of contract, product recall and
replacement, and indemnification of counterparty losses from their remediation efforts) are
probable and estimable.
• Effectiveness Assessment – Conclusions on the effectiveness of disclosure controls and
procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record,
process, summarize, and report information that is required to be disclosed in Commission
filings, management should also consider whether there are any deficiencies in its
disclosure controls and procedures that would render them ineffective.
POLL
Page 17
What Other Companies Are Doing
Trends and Patterns
• Companies are still in the process of adjusting to this guidance, so still too early to
assess long-term practical effect.
• At this stage two trends have emerged:
• Disclosure of Risk by Financial Companies and Some Other Large
Companies – Many companies, particularly financial institutions, have
acknowledged the risk posed by cyber security breaches in their periodic filings
and some have acknowledged that they have been the victims of cyber attacks,
but these reports do not generally acknowledge those attacks having had a
material effect on financial performance.
• Few Disclosures of Actual Breaches – Although companies are disclosing
the risk of breach, few are disclosing actual breaches in SEC filings. In cases
where companies have been required by state law to disclose such breaches,
the SEC has inquired why there was not also an 8-K disclosure.
Page 18
Trends and Patterns
Wills Fortune 500 Cyber Disclosure Report 2013
• tracked responses to SEC Guidance by Fortune 500 companies
• key findings include (as of April 2013):
• ~85% of Fortune 500 companies were following the SEC guidelines by
providing some level of disclosure of cyber exposures.
• ~40% of Fortune 500 companies failed to provide details on the size of their
exposure, stating only that the risk would have an impact on the company
without further discussing the extent of the impact.
• concludes that, questionable disclosure compliance with SEC’s mandated
level, given the lack of disclosure on probability of incidents and their
quantitative and qualitative magnitude.
Page 19
What Other Companies Are Doing
• Example of Annual Disclosure: Risk Factor
• Goldman Sachs 2012 10-K acknowledges that it has been the “target” of cyber attacks,
but does not specify if any of those attacks were successful:
"We are regularly the target of attempted cyber attacks, including denial-of-service attacks, and must continuously
monitor and develop our systems to protect our technology infrastructure and data from misappropriation or corruption.
Although we take protective measures and endeavor to modify them as circumstances warrant, our computer systems,
software and networks may be vulnerable to unauthorized access, misuse, computer viruses or other malicious code
and other events that could have a security impact. If one or more of such events occur, this potentially could
jeopardize our or our clients’ or counterparties’ confidential and other information processed and stored in, and
transmitted through, our computer systems and networks, or otherwise cause interruptions or malfunctions in our, our
clients’, our counterparties’ or third parties’ operations, which could impact their ability to transact with us or otherwise
result in significant losses or reputational damage. The increased use of mobile technologies can heighten these and
other operational risks. We expect to expend significant additional resources on an ongoing basis to modify our
protective measures and to investigate and remediate vulnerabilities or other exposures, and we may be subject to
litigation and financial losses that are either not insured against or not fully covered through any insurance maintained
by us."
Page 20
What Other Companies Are Doing
• Example of 8-K Disclosure
• Selective Insurance Group’s February 5, 2013 8-K filing reads more like an annual
report’s risk disclosure than an acknowledgement of a specific attack:
“We are subject to attempted cyber-attacks and other cybersecurity risks. The nature of our business requires that we
store and exchange electronically with appropriate parties and systems significant amounts of personally identifiable
information that may be targeted in an attempted cybersecurity breach. In addition, our business is heavily reliant on
various information technology and application systems that may be impacted by a malicious cyber-attack. These cyber
incidents may cause lost revenues or increased expenses stemming from reputational damage and fines related to the
breach of personally identifiable information, inability to use certain systems for a period of time, loss of financial assets,
remediation and litigation costs and increased cybersecurity protection costs. We have developed and continue to invest
in a variety of controls to prevent, detect and appropriately react to such cyber-attacks including periodically testing our
systems security and access controls. However, cybersecurity risks continue to become more complex and broad ranging
and our internal controls provide only a reasonable, not absolute, assurance that we will be able to protect ourselves from
significant cyber-attack incidents. By outsourcing certain business and administrative functions to third parties, we may be
exposed to enhanced risk of data security breaches. Any breach of data security could damage our reputation and/or
result in monetary damages, which, in turn, could have a material adverse effect on our results of operations, liquidity,
financial condition, financial strength, and debt ratings. Although we have not experienced a material cyber-attack, we
recently purchased insurance coverage to specifically address cybersecurity risks. The coverage provides protection up
to $20 million above a deductible of $250,000 for various cybersecurity risks including privacy breach related incidents."
Page 21
What Other Companies Are Doing
• Examples of SEC Responses
• In response to press reports that Morgan Stanley had experienced cyber attacks, SEC sent an
inquiry letter that appears to go beyond the guidance by requiring the disclosure of a cyber
attack that did not result in a material operating impact.
• Here is an excerpt:
“We note your response to comment 1 in our letter dated June 22, 2012. Based on your
response it appears that you may have experienced one or more security breaches or
cyber attacks that did not result in a material adverse effect on your operations. If true,
beginning with your next periodic filing, please simply state this fact so investors are
aware that you are currently experiencing these cyber risks.”
• Similarly, SEC requested that Freeport disclose any cyber attacks that it experienced:
• “In future filings, beginning with your next Form 10-Q, please provide risk factor disclosure
describing the cybersecurity risks that you face or tell us why you believe such disclosure
is unnecessary. If you have experienced any cyber attacks in the past, please state that
fact in any additional risk factor disclosure in order to provide the proper context.”
POLL
Page 23
Potential Changes to Disclosure Guidance
Prospects for Legislation
• During the last term, Congress considered a bill (S. 3414) that would have required the
SEC to examine its cybersecurity regulations and to issue annual reports to Congress
on cybersecurity enforcement activity for five years.
• that bill’s lead sponsor, Sen. Lieberman, has since retired and no similar
legislation has been filed.
• current Senate Commerce Committee Chairman Jay Rockefeller was a co-
sponsor of that legislation and has expressed a keen interest in the issue, so it
is reasonable to speculate that a failure of the SEC to move forward with new
regulations could lead to Chairman Rockefeller to file legislation that would
require such action.
Page 24
Potential Changes to Disclosure Guidance
• Possible SEC Regulations
• April 9, 2013 letter from Sen. Rockefeller to SEC Chairman White
• “…given the growing significance of cyber security on investors’ and stockholders’ decisions,
the SEC should elevate this guidance and issue it at the Commission level as well. While the
staff guidance has had a positive impact on the information available to investors on these
matters, the disclosures are generally insufficient…to discern the true costs and benefits of
companies’ cybersecurity practices.”
• Chairman White’s May 1, 2013 Response Letter
• Review commenced in early 2012 resulted in staff comments to ~50 public companies “of
varying size and in a wide variety of industries”;
• She has asked the staff to provide her with a briefing of current disclosure practices and
overall compliance with the guidance, as well as any recommendations for further action.
• Although no commitment to specific changes (or to the need for any changes), there is a widely-
held expectation that the SEC will issue expanded cyber security guidance.
Page 25
Proactive Steps to Consider
• Conduct a “Risk Profile” Analysis
• For certain businesses prudent to conduct a risk profile analysis to determine the
potential impact of a cybersecurity incident and examine current filing disclosures to
evaluate whether they are appropriate and sufficient under the SEC guidance.
• If your company collects, processes or stores sensitive data, such as financial or
healthcare information, likely your disclosure should be enhanced to address risks
related to a cyber incident.
• Such an analysis should consider two distinct types of exposure: (1) operational risk
and (2) compliance risk.
• Operational Risk – considers a company’s use of sensitive data and asks
what effect of successful cyber attack on the company would be. For
purposes of this analysis, it is helpful to explore scenarios involving different
types of cyber incidents (e.g. loss or theft of proprietary data, and disruption of
functionality) in light of the specific types of sensitive information (including
customer information, credit cards, financial information, health care records,
social security numbers, intellectual property, strategy documents, etc.).
Page 26
Proactive Steps to Consider
• Compliance Risk – 2 distinct types of compliance risk to evaluate: (a) pre-
attack disclosures and (b) incident reporting.
• Pre-attack Disclosures – Failure to report vulnerability to cyber attacks in
annual filings could constitute a breach of the duty to disclose material
information. Although such failure might be harmless, it could also lead to
SEC enforcement actions. These actions often begin with a comment letter,
but can escalate to full scale investigations resulting in costly litigation and
potential fines and injunctions, as well as referral of violations to other
agencies and departments, including FINRA, FTC, and DOJ. Shareholder
litigation is also possible if the value of a stock declines following a
subsequent cyber attack (after a failure to disclose risk).
• Incident Reporting– Involve a delicate balancing act as to whether to
disclose between providing investors with material information and not
giving cyber attackers a road map to vulnerabilities. Acknowledging the
attacks without going into detail on the attacks may be appropriate
depending upon the operational effect of the attack. Generally, disclosure
on a state level should be evaluated in context of SEC requirements.
Page 27
Proactive Steps to Consider
Consider Risk Mitigation Strategies
• Once cybersecurity risk has been analyzed, a number of risk mitigation strategies are
available. Although disclosure may mitigate enforcement risk, there are a number of
ways to mitigate operational risk. Two areas in particular should be examined:
• Operational Changes – An operational risk may often be mitigated through
operational changes, such as using more advanced encryption, setting up
back-up servers to assist in resisting a denial of service attack, outsourcing
data services to a more secure provider, or even opting not to store certain
types of highly-sensitive data in digital form.
• contractual obligations may need to be amended to make these
operational changes.
• these operational exposures should be considered when drafting and
negotiating contracts, which may also help to shift risks to partners better
able to manage them.
• prioritization of cyber security through staffing adjustments, training, and
education are also useful tools to consider. For example, some
companies have designated a person within their IT departments as
having responsibility for developing and implementing a cybersecurity
policy.
Page 28
Proactive Steps to Consider
• Insurance – most direct approach to mitigating cyber security risk. Important
considerations include:
• whether current insurance would cover all forms of cyber security attack
(including the terms and exclusions)
• whether further insurance would make sense, keeping in mind that other risk
mitigation measures may lower the cost of such insurance.
• Generally, traditional business insurance does not fully cover cyber attacks:
• offers only limited coverage for a number of cybersecurity-related exposures, such as
revenue lost during disruption of functionality/denial of service attacks, cost to
recover lost data, exposure of proprietary information, and expenses associated with
recovering from cyber attacks.
• often offers no coverage for other cyber attack exposures, including defending
regulatory actions (including SEC suits), providing notification to users whose private
data has been breached, and compensating data subjects who have been harmed
by the security breach (e.g. through theft of their credit card numbers or private
information).
• Cyber insurance policies that provide robust coverage for all of these areas are
available and may be a prudent investment depending upon the level of exposure and
the company’s risk tolerance.
Page 29
Other Considerations
• Impact on Directors and Officers.
• Directors and officers should be active participants in the cybersecurity
discussion both for purposes of developing effective risk mitigation
strategies and because directors may be exposed to liability under the
business judgment rule if they do not actively consider cybersecurity
issues in planning company operations. One approach to this issue is to
include cybersecurity updates in reports to the board of directors on a
regular basis.
• If Disclosure Committee does not have IT/Security representative,
consider adding that resource.
Page 30
Other Considerations
Related State Laws
• In addition to SEC reporting requirements, most states have enacted laws
requiring companies to report breaches where certain personally identifiable
information is accessed. Although it is possible that breaches could affect a
company financially without involving the breach of files containing personal
information, many breaches will likely need to be reported:
• to state officials (AG or Secretary of State);
• to Data Subjects;
• media; or
• others
• When such a state disclosure is required, it may prompt the need for disclosure
to the SEC to avoid partial dissemination (“selective disclosure”) of material
information. This determination will turn on Materiality assessment; also
consider whether state disclosure is public.
Page 31
Final Thoughts/Recommendations
• Disclosure of Risk
• Ensure you “right size” the risk disclosure to your business.
• Balance between overkill and boilerplate.
• Although some sectors (e.g. financial) have greater potential exposure than others, virtually all
large companies bear some risk.
• Disclosure of Actual Breaches
• SEC Guidance suggests that actual breaches should be disclosed when they take place via an
8-K filing.
• Reactive 8-K disclosure could compromise ongoing incident investigations.
• Differing requirements could lead to inconsistencies in notices:
• Litigation Risks
• Unfair/Deceptive Acts & Practices
• Rule is advisory only - appears few companies have followed it.
• SEC is currently considering strengthening this guidance, potentially making it a binding rule.
• Contractual obligations may decrease notice threshold(s).
• Consequences of Failure to Disclose
• SEC may take enforcement action against a company that fails to disclose material information.
• A decrease in stock price may spawn class action securities law suits.
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
Rick Olin, CIPP/US
Counsel
GTC Law Group
“One of the most important startups in security…”
BUSINESS INSIDER – JANUARY 2013
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“an invaluable weapon when responding to
security incidents.”
GOVERNMENT COMPUTER NEWS
“Co3 Systems makes the process of planning
for a nightmare scenario as painless as
possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE