SEC Cybersecurity Disclosure Guidelines

SEC Cybersecurity

Disclosure Guidance:

Risks and Strategies

Page 2

Introductions: Today’s Speakers

• Rick Olin, CIPP/US; Counsel, GTC Law Group

• Gant Redmon, CIPP/US; General Counsel, Co3

Systems

Page 3

Agenda

• Introductions

• Basis of SEC Cybersecurity Disclosure Guidance

• Current SEC Disclosure Guidance

• What Companies Are Doing

• Potential Changes to Disclosure Guidance

• Proactive Steps to Consider

• Other Considerations

• Final Thoughts/Recommendations

• Q&A

Page 4

Co3 Automates Incident Response

PREPARE

Improve Organizational

Readiness

• Assign response team

• Describe environment

• Simulate events and incidents

• Focus on organizational gaps

REPORT

Document Results and

Track Performance

• Document incident results

• Track historical performance

• Demonstrate organizational

preparedness

• Generate audit/compliance reports

ASSESS

Quantify Potential Impact,

Support Privacy Impact

Assessments

• Track events

• Scope regulatory requirements

• See $ exposure

• Send notice to team

• Generate Impact Assessments

MANAGE

Easily Generate Detailed

Incident Response Plans

• Escalate to complete IR plan

• Oversee the complete plan

• Assign tasks: who/what/when

• Notify regulators and clients

• Monitor progress to completion

Page 5

About GTC

• GTC Law Group specializes in IP Strategy, Mergers &

Acquisitions, and Business & Technology Transactions for

IP-centric companies and institutions worldwide.

• Founded in 2002 in response to overwhelming client

demand for a strategic approach to IP counseling and

transactions.

• Broad range of clients, including Fortune 500 enterprises,

technology start-ups, venture capital firms, entrepreneurs,

and industry consortia across the spectrum of IP-intensive

sectors, including software, hardware, life sciences, financial

services, Internet, media & entertainment and energy

• Strategic partners for Data Privacy and Security.

Page 6

Basis of SEC Cybersecurity Disclosure Guidance

• U.S. Securities Laws: High Value Placed on Transparency

• Goal is level playing field: equal access to information that might affect an

investment decision

• Prohibits trading on “material non-public” information

• Historically, SEC required disclosure of any information that would have a material

effect on a company’s performance

• Materiality is determined in light of the “total mix” of information available

• defined as any information that a reasonable investor would find important in

deciding whether to purchase or sell a security

• SEC Guidance on Cybersecurity

• Released in October 2011 by Division of Corporate Finance

• “This guidance is not a rule, regulation, or statement of the Securities and

Exchange Commission. Further, the Commission has neither approved nor

disapproved its content.”

• Even though “advisory”in nature, registrants/reporting companies, prudent

to consider enhanced disclosure

• Provide clearer guidance of “material risks”

Page 7


Cyber Incident Could Affect Company Stock Performance

• Damage to company’s brand

• Risk of class-action securities litigation

• Private causes of action

• Even if no harm to operations, may lower confidence in company

• Remediation costs and lost revenue

• SEC Enforcement

• Bottom Line: potential adverse impact on company stock price

Page 8


• Objectives and effects of cyber attacks: Cyber attacks are most

commonly targeted at one of three objectives:

• Stealing Proprietary Business Information – trade secrets,

data, and other business information.

• Financial Information and Identity Theft – often seek to

acquire credit card numbers, SSNs and bank account

information.

• Harming a Competitor – some intended to disable or disrupt a

competitor’s operations.

Page 9

Current SEC Disclosure Guidance

Operative Definitions

• “Cybersecurity ” - SEC Guidance uses definition of “Cybersecurity”: the body of

technologies, processes and practices designed to protect networks, systems, computers,

programs and data from attack, damage or unauthorized access; and notes that a “cyber

incident can result from deliberate attacks or unintentional events.”

• “Cyber incident” -

• two major categories: (a) unauthorized access and (b) disruption of functionality:

• Unauthorized access - an incident in which a party not authorized to access a

digital system gains access to proprietary or other sensitive information; may

be as a result of deliberate acts or unintentional events.

• Disruption of functionality attacks, also known as “denial of service” attacks; involve efforts to limit the functionality of data processing, storage, and

transmission systems, such as web sites, through which orders are processed;

generally involve programs that send high volumes of repeated queries to

targeted sites.

Page 10

• General Disclosure Tenets

• Fact-specific Inquiry – The disclosure requirements related to cyber incidents

should reflect the reporting company’s specific facts and circumstances, as well as

the existing securities laws. As to the latter, as with any reporting disclosure:

• Timeliness/Accuracy – Disclosure must be timely, comprehensive, and

accurate about risks and events that a reasonable investor would consider

important to an investment decision.

• Context – Material information regarding cybersecurity risks and cyber

incidents is required to be disclosed when necessary in order to make

other required disclosures, in light of the circumstances under which they

are made, not misleading.

• Ongoing Review – As with other operational and financial risks,

registrants should review, on an ongoing basis, the adequacy of their

disclosure relating to cybersecurity risks and cyber incidents.


Page 11


General Disclosure Tenets (continued)

• Factors to Consider – In determining disclosure obligations:

• Relative Significance

• Whether a security incident may be “among the most significant

factors that make an investment in the company speculative or

risky”.

• Factors particular to a business or the type of business, rather than risks

that could apply to any business

• Incident Impact and History – When conducting this evaluation of its

cybersecurity “risk profile”, a reporting company must examine risks of such an

incident, prior cyber incidents and the severity and frequency of such

incidents.

• Likelihood of Future Incidents – A registrant should also analyze the

likelihood of additional incidents occurring in the future, and the impact of such

incidents on the company.

NOTE: A company need not disclose risks that are generic in nature or details

that would likely compromise its cybersecurity efforts.

Page 12


Specific Disclosure Requirements – There are a number of specific disclosure

requirements under existing regulations that “may require a discussion of cybersecurity risks

and cyber incidents” in (i) Registration Statements, (ii) Periodic Reports and (iii) Material

Event Reports:

• Risk Factors

• Management’s Discussion and Analysis

• Legal Proceedings

• Description of Business

• Financial Statement Disclosures

• Other Disclosures

Page 13


Specific Disclosure Requirements (continued)

• Risk Factors – following evaluation of company’s overall cybersecurity “risk profile,”

and consistent with the Regulation S-K Item 503(c) requirements for risk factor

disclosures, generally, “cybersecurity risk disclosure provided must adequately

describe the nature of the material risks and specify how each risk affects the

registrant.” To the extent material, appropriate disclosures may include: discussion

of aspects of operations that give risk to material risks; outsourced security

functions; past cybersecurity incidents and costs of remediating those incidents;

risks of undetected cybersecurity incidents, and relevant insurance coverage that

might cover such an incident.

• Management’s Discussion and Analysis – should address cybersecurity risks and

incidents in MD&A “if the costs or other consequences associated with one or more

known incidents or the risks of potential incidents represent a material event, trend

or uncertainty that is reasonably likely to have a material effect” on the company’s

financial position. For example, if critical intellectual property is stolen, a company

will want to evaluate the materiality of the theft and whether to disclose that the

information was stolen and the potential effect on the company’s financial condition.

Page 14



• Legal Proceedings – Legal proceedings involving a cyber incident may need to be

disclosed and would include the name of the court, the date the suit was instituted,

principal parties, description of the allegations and the damages sought.

• Description of Business – In determining whether to include disclosure regarding

cybersecurity incidents in this section of its filings, registrants “should consider the

impact on each of their reportable segments. As an example, if a registrant has a new

product in development and learns of a cyber incident that could materially impair its

future viability, the registrant should discuss the incident and the potential impact to the

extent material.”

• Financial Statement Disclosures – Cybersecurity risks and cyber incidents may have

a broad impact on a registrant’s financial statements, depending on the nature and

severity of the potential or actual incident.

Page 15



• Other Disclosures – In addition to the foregoing specific areas to be considered, the SEC guidance

requires consideration of:

• Prevention Costs – the substantial costs that may be incurred to prevent cyber incidents,

and the accounting for the capitalization of these costs to the extent that such costs are

related to internal use software;

• ASC 605-50 – Customer Payments and Incentives, to ensure appropriate recognition,

measurement, and classification of any incentives provided to customers by the company

in its efforts to mitigate damages from a cyber incident.

• ASC 450-20 – Loss Contingencies, to determine when to recognize a liability if losses

(such as losses related to claims based on breach of contract, product recall and

replacement, and indemnification of counterparty losses from their remediation efforts) are

probable and estimable.

• Effectiveness Assessment – Conclusions on the effectiveness of disclosure controls and

procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record,

process, summarize, and report information that is required to be disclosed in Commission

filings, management should also consider whether there are any deficiencies in its

disclosure controls and procedures that would render them ineffective.

POLL

Page 17

What Other Companies Are Doing

Trends and Patterns

• Companies are still in the process of adjusting to this guidance, so still too early to

assess long-term practical effect.

• At this stage two trends have emerged:

• Disclosure of Risk by Financial Companies and Some Other Large

Companies – Many companies, particularly financial institutions, have

acknowledged the risk posed by cyber security breaches in their periodic filings

and some have acknowledged that they have been the victims of cyber attacks,

but these reports do not generally acknowledge those attacks having had a

material effect on financial performance.

• Few Disclosures of Actual Breaches – Although companies are disclosing

the risk of breach, few are disclosing actual breaches in SEC filings. In cases

where companies have been required by state law to disclose such breaches,

the SEC has inquired why there was not also an 8-K disclosure.

Page 18

Trends and Patterns

Wills Fortune 500 Cyber Disclosure Report 2013

• tracked responses to SEC Guidance by Fortune 500 companies

• key findings include (as of April 2013):

• ~85% of Fortune 500 companies were following the SEC guidelines by

providing some level of disclosure of cyber exposures.

• ~40% of Fortune 500 companies failed to provide details on the size of their

exposure, stating only that the risk would have an impact on the company

without further discussing the extent of the impact.

• concludes that, questionable disclosure compliance with SEC’s mandated

level, given the lack of disclosure on probability of incidents and their

quantitative and qualitative magnitude.

Page 19


• Example of Annual Disclosure: Risk Factor

• Goldman Sachs 2012 10-K acknowledges that it has been the “target” of cyber attacks,

but does not specify if any of those attacks were successful:

"We are regularly the target of attempted cyber attacks, including denial-of-service attacks, and must continuously

monitor and develop our systems to protect our technology infrastructure and data from misappropriation or corruption.

Although we take protective measures and endeavor to modify them as circumstances warrant, our computer systems,

software and networks may be vulnerable to unauthorized access, misuse, computer viruses or other malicious code

and other events that could have a security impact. If one or more of such events occur, this potentially could

jeopardize our or our clients’ or counterparties’ confidential and other information processed and stored in, and

transmitted through, our computer systems and networks, or otherwise cause interruptions or malfunctions in our, our

clients’, our counterparties’ or third parties’ operations, which could impact their ability to transact with us or otherwise

result in significant losses or reputational damage. The increased use of mobile technologies can heighten these and

other operational risks. We expect to expend significant additional resources on an ongoing basis to modify our

protective measures and to investigate and remediate vulnerabilities or other exposures, and we may be subject to

litigation and financial losses that are either not insured against or not fully covered through any insurance maintained

by us."

Page 20


• Example of 8-K Disclosure

• Selective Insurance Group’s February 5, 2013 8-K filing reads more like an annual

report’s risk disclosure than an acknowledgement of a specific attack:

“We are subject to attempted cyber-attacks and other cybersecurity risks. The nature of our business requires that we

store and exchange electronically with appropriate parties and systems significant amounts of personally identifiable

information that may be targeted in an attempted cybersecurity breach. In addition, our business is heavily reliant on

various information technology and application systems that may be impacted by a malicious cyber-attack. These cyber

incidents may cause lost revenues or increased expenses stemming from reputational damage and fines related to the

breach of personally identifiable information, inability to use certain systems for a period of time, loss of financial assets,

remediation and litigation costs and increased cybersecurity protection costs. We have developed and continue to invest

in a variety of controls to prevent, detect and appropriately react to such cyber-attacks including periodically testing our

systems security and access controls. However, cybersecurity risks continue to become more complex and broad ranging

and our internal controls provide only a reasonable, not absolute, assurance that we will be able to protect ourselves from

significant cyber-attack incidents. By outsourcing certain business and administrative functions to third parties, we may be

exposed to enhanced risk of data security breaches. Any breach of data security could damage our reputation and/or

result in monetary damages, which, in turn, could have a material adverse effect on our results of operations, liquidity,

financial condition, financial strength, and debt ratings. Although we have not experienced a material cyber-attack, we

recently purchased insurance coverage to specifically address cybersecurity risks. The coverage provides protection up

to $20 million above a deductible of $250,000 for various cybersecurity risks including privacy breach related incidents."

Page 21


• Examples of SEC Responses

• In response to press reports that Morgan Stanley had experienced cyber attacks, SEC sent an

inquiry letter that appears to go beyond the guidance by requiring the disclosure of a cyber

attack that did not result in a material operating impact.

• Here is an excerpt:

“We note your response to comment 1 in our letter dated June 22, 2012. Based on your

response it appears that you may have experienced one or more security breaches or

cyber attacks that did not result in a material adverse effect on your operations. If true,

beginning with your next periodic filing, please simply state this fact so investors are

aware that you are currently experiencing these cyber risks.”

• Similarly, SEC requested that Freeport disclose any cyber attacks that it experienced:

• “In future filings, beginning with your next Form 10-Q, please provide risk factor disclosure

describing the cybersecurity risks that you face or tell us why you believe such disclosure

is unnecessary. If you have experienced any cyber attacks in the past, please state that

fact in any additional risk factor disclosure in order to provide the proper context.”

POLL

Page 23

Potential Changes to Disclosure Guidance

Prospects for Legislation

• During the last term, Congress considered a bill (S. 3414) that would have required the

SEC to examine its cybersecurity regulations and to issue annual reports to Congress

on cybersecurity enforcement activity for five years.

• that bill’s lead sponsor, Sen. Lieberman, has since retired and no similar

legislation has been filed.

• current Senate Commerce Committee Chairman Jay Rockefeller was a co-

sponsor of that legislation and has expressed a keen interest in the issue, so it

is reasonable to speculate that a failure of the SEC to move forward with new

regulations could lead to Chairman Rockefeller to file legislation that would

require such action.

Page 24

Potential Changes to Disclosure Guidance

• Possible SEC Regulations

• April 9, 2013 letter from Sen. Rockefeller to SEC Chairman White

• “…given the growing significance of cyber security on investors’ and stockholders’ decisions,

the SEC should elevate this guidance and issue it at the Commission level as well. While the

staff guidance has had a positive impact on the information available to investors on these

matters, the disclosures are generally insufficient…to discern the true costs and benefits of

companies’ cybersecurity practices.”

• Chairman White’s May 1, 2013 Response Letter

• Review commenced in early 2012 resulted in staff comments to ~50 public companies “of

varying size and in a wide variety of industries”;

• She has asked the staff to provide her with a briefing of current disclosure practices and

overall compliance with the guidance, as well as any recommendations for further action.

• Although no commitment to specific changes (or to the need for any changes), there is a widely-

held expectation that the SEC will issue expanded cyber security guidance.

Page 25

Proactive Steps to Consider

• Conduct a “Risk Profile” Analysis

• For certain businesses prudent to conduct a risk profile analysis to determine the

potential impact of a cybersecurity incident and examine current filing disclosures to

evaluate whether they are appropriate and sufficient under the SEC guidance.

• If your company collects, processes or stores sensitive data, such as financial or

healthcare information, likely your disclosure should be enhanced to address risks

related to a cyber incident.

• Such an analysis should consider two distinct types of exposure: (1) operational risk

and (2) compliance risk.

• Operational Risk – considers a company’s use of sensitive data and asks

what effect of successful cyber attack on the company would be. For

purposes of this analysis, it is helpful to explore scenarios involving different

types of cyber incidents (e.g. loss or theft of proprietary data, and disruption of

functionality) in light of the specific types of sensitive information (including

customer information, credit cards, financial information, health care records,

social security numbers, intellectual property, strategy documents, etc.).

Page 26


• Compliance Risk – 2 distinct types of compliance risk to evaluate: (a) pre-

attack disclosures and (b) incident reporting.

• Pre-attack Disclosures – Failure to report vulnerability to cyber attacks in

annual filings could constitute a breach of the duty to disclose material

information. Although such failure might be harmless, it could also lead to

SEC enforcement actions. These actions often begin with a comment letter,

but can escalate to full scale investigations resulting in costly litigation and

potential fines and injunctions, as well as referral of violations to other

agencies and departments, including FINRA, FTC, and DOJ. Shareholder

litigation is also possible if the value of a stock declines following a

subsequent cyber attack (after a failure to disclose risk).

• Incident Reporting– Involve a delicate balancing act as to whether to

disclose between providing investors with material information and not

giving cyber attackers a road map to vulnerabilities. Acknowledging the

attacks without going into detail on the attacks may be appropriate

depending upon the operational effect of the attack. Generally, disclosure

on a state level should be evaluated in context of SEC requirements.

Page 27


Consider Risk Mitigation Strategies

• Once cybersecurity risk has been analyzed, a number of risk mitigation strategies are

available. Although disclosure may mitigate enforcement risk, there are a number of

ways to mitigate operational risk. Two areas in particular should be examined:

• Operational Changes – An operational risk may often be mitigated through

operational changes, such as using more advanced encryption, setting up

back-up servers to assist in resisting a denial of service attack, outsourcing

data services to a more secure provider, or even opting not to store certain

types of highly-sensitive data in digital form.

• contractual obligations may need to be amended to make these

operational changes.

• these operational exposures should be considered when drafting and

negotiating contracts, which may also help to shift risks to partners better

able to manage them.

• prioritization of cyber security through staffing adjustments, training, and

education are also useful tools to consider. For example, some

companies have designated a person within their IT departments as

having responsibility for developing and implementing a cybersecurity

policy.

Page 28


• Insurance – most direct approach to mitigating cyber security risk. Important

considerations include:

• whether current insurance would cover all forms of cyber security attack

(including the terms and exclusions)

• whether further insurance would make sense, keeping in mind that other risk

mitigation measures may lower the cost of such insurance.

• Generally, traditional business insurance does not fully cover cyber attacks:

• offers only limited coverage for a number of cybersecurity-related exposures, such as

revenue lost during disruption of functionality/denial of service attacks, cost to

recover lost data, exposure of proprietary information, and expenses associated with

recovering from cyber attacks.

• often offers no coverage for other cyber attack exposures, including defending

regulatory actions (including SEC suits), providing notification to users whose private

data has been breached, and compensating data subjects who have been harmed

by the security breach (e.g. through theft of their credit card numbers or private

information).

• Cyber insurance policies that provide robust coverage for all of these areas are

available and may be a prudent investment depending upon the level of exposure and

the company’s risk tolerance.

Page 29

Other Considerations

• Impact on Directors and Officers.

• Directors and officers should be active participants in the cybersecurity

discussion both for purposes of developing effective risk mitigation

strategies and because directors may be exposed to liability under the

business judgment rule if they do not actively consider cybersecurity

issues in planning company operations. One approach to this issue is to

include cybersecurity updates in reports to the board of directors on a

regular basis.

• If Disclosure Committee does not have IT/Security representative,

consider adding that resource.

Page 30

Other Considerations

Related State Laws

• In addition to SEC reporting requirements, most states have enacted laws

requiring companies to report breaches where certain personally identifiable

information is accessed. Although it is possible that breaches could affect a

company financially without involving the breach of files containing personal

information, many breaches will likely need to be reported:

• to state officials (AG or Secretary of State);

• to Data Subjects;

• media; or

• others

• When such a state disclosure is required, it may prompt the need for disclosure

to the SEC to avoid partial dissemination (“selective disclosure”) of material

information. This determination will turn on Materiality assessment; also

consider whether state disclosure is public.

Page 31

Final Thoughts/Recommendations

• Disclosure of Risk

• Ensure you “right size” the risk disclosure to your business.

• Balance between overkill and boilerplate.

• Although some sectors (e.g. financial) have greater potential exposure than others, virtually all

large companies bear some risk.

• Disclosure of Actual Breaches

• SEC Guidance suggests that actual breaches should be disclosed when they take place via an

8-K filing.

• Reactive 8-K disclosure could compromise ongoing incident investigations.

• Differing requirements could lead to inconsistencies in notices:

• Litigation Risks

• Unfair/Deceptive Acts & Practices

• Rule is advisory only - appears few companies have followed it.

• SEC is currently considering strengthening this guidance, potentially making it a binding rule.

• Contractual obligations may decrease notice threshold(s).

• Consequences of Failure to Disclose

• SEC may take enforcement action against a company that fails to disclose material information.

• A decrease in stock price may spawn class action securities law suits.

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

Rick Olin, CIPP/US

Counsel

GTC Law Group

[email protected]

“One of the most important startups in security…”

BUSINESS INSIDER – JANUARY 2013

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

“an invaluable weapon when responding to

security incidents.”

GOVERNMENT COMPUTER NEWS

“Co3 Systems makes the process of planning

for a nightmare scenario as painless as

possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

mailto:[email protected]