In today’s world of ubiquitous Internet connectivity, no company is immune from cyberattack. Indeed, as many cybersecurity experts say, there are only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked. President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cyber security.” President Barack Obama, Remarks by the President on Securing Our Nation’s Cyber Infrastructure (May 29, 2009). Companies can incur significant costs as a result of cyberattacks, including costs related to the deployment of additional personnel and security technologies to protect against future attacks, loss of revenues due to offline websites, theft of intellectual property, loss of competitive advantages due to unlawful access to pricing and marketing strategies, remediation costs from theft of customers’ personal or financial data, litigation, and loss of goodwill and customer relationships.
July 16, 2013 Articles
The Evolving Landscape of Cybersecurity Disclosures
Two types of companies remain: those that have been hacked and those that don't know they've been hacked
By Will Daugherty
While confronting increasingly sophisticated and frequent cyberattacks, public companies are also grappling with the appropriate level of public disclosure of their known cyber risks and incidents. Providing detailed disclosures of cyberattacks can create the risk of providing a road map for future cyberattacks. Yet, a company’s failure to adequately disclose cyber risks and incidents that have a material impact on the company’s operations or financial condition may violate the federal securities laws. Given the complexity of cybersecurity issues, the evolving landscape under the securities laws for cyber disclosures, and the increasingly sophisticated tools and actors involved in cyberattacks, securities litigators need to be prepared for when, not if, a client is faced with an investigation by the Securities and Exchange Commission (SEC) or securities litigation relating to cybersecurity issues. This article provides an overview of the cyber threats facing companies today, examines the evolving regulatory landscape of cybersecurity disclosures, and discusses the potential securities litigation scenarios that may arise in the future as a result of public companies’ cyber risk and incident disclosures (or lack thereof).
Types of Attacks and Actors
Cyberattacks on companies are brought by a multitude of groups and organizations with varying motives, but generally, the actors fall into four categories: cybercriminals, industry-sponsored groups, state-sponsored groups, and “hacktivists.” Cybercriminals are individuals or organized crime groups who engage in illegal cyberattacks primarily for financial or personal gain. The profile of individual cybercriminals ranges from the mischievous high-school computer prodigy to the company insider who may use his or her access to enter the employer’s secure network to download and steal intellectual property—the latter of which can be particularly harmful to companies. For example, in July 2010, an engineer for General Motors and her husband were indicted for downloading $40 million worth of General Motor’s hybrid technology and attempting to sell it to a Chinese automaker. Margaret Cronin Fisk & Steve Raphael, “Michigan Couple Stole GM Secrets for Chinese, U.S. Says,” Bloomberg.com, Nov. 5, 2012. Organized crime groups, many of which operate from eastern Europe, have long targeted personal identity or financial information of companies’ customers or clients to commit identity or financial fraud or to sell the information on the black market. However, organized crime groups are becoming increasingly sophisticated and have reportedly begun targeting companies’ intellectual property for ransom or to sell to competitors.
Groups called “hacktivists,” such as Anonymous, use cyberattacks to make social or political statements by, most frequently, engaging in distributed denial of service (DDoS) attacks on targets. A DDoS attack occurs when hackers use thousands of infected computers, called botnets, to flood a particular server with traffic until it goes off line. Although DDoS attacks do not directly result in the theft of digital assets, the costs of a DDoS attack to a company can include loss of revenue, remediation costs, customer credits and refunds, customer defections, and reputational damage.
Finally, the type of attack presenting the greatest danger to U.S. companies today is an “advanced persistent threat” (APT), which is a term created by analysts in the U.S. Air Force in 2006. The term “APT” describes highly sophisticated attackers (“advanced”) working to achieve long-term objectives without detection (“persistent”), in an organized, well-funded, and highly motivated environment (“threat”). APT is a form of espionage that facilitates unlawful access to digital assets. One common attack method used by APT groups to gain access to target networks is “spear-fishing,” which relies on personalized emails and leverages knowledge of the recipient—typically an employee of the target—to either trick the recipient into opening an attachment or visiting a website that deposits malware on his or her computer. Other common APT attack methods include social engineering techniques, such as impersonating helpdesk personnel, distributing infected USB drives, and, more recently, using a “watering hole” attack in which malicious code is injected onto a specific public webpage that the target employee is likely to visit.
Because of the high level of sophistication and amount of resources necessary to perpetrate an APT, the primary actors engaging in these attacks tend to be industry-sponsored and state-sponsored groups. State-sponsored groups primarily target national defense contractors, companies that provide critical infrastructure (such as electric companies and oil and gas companies), and companies developing advanced technology. In February 2013, Mandiant, a cybersecurity company, issued a report describing its finding that a shadowy group within China’s People’s Liberation Army ran a sophisticated hacking and espionage operation against foreign entities. Dan McWhorter, Mandiant Exposes APT1—One of China’s Cyber Espionage Units & Releases 3,000 Indicators (Feb. 18, 2013). Mandiant reported that the espionage unit hacked 141 companies spanning 20 major industries and stole broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.
Industry groups and participants are also believed to be using APTs to commit corporate espionage. The New York Times recently reported that hacking in China is no longer an underground phenomenon; rather, it is a burgeoning sector with private corporations using “complex tiers of agents who hire the hackers” for industrial espionage. Edward Wong, Hackers Find China Is Land of Opportunity, "N.Y. Times," May 22, 2013. And the cost of cyber–corporate espionage to U.S. companies is significant. In 2010, the commander of the U.S. Cyber Command and Director of the National Security Agency, General Keith B. Alexander, stated that cyberattacks are the source of the “greatest transfer of wealth in history” from U.S. companies to foreign hackers, with approximately $300 billion in intellectual property stolen in cyber breaches each year. See Report of the Commission on the Theft of American Intellectual Property (May 2013).
SEC Guidance on Cyber Risk and Incident Disclosures
In light of the growing threat and costs of cyberattacks to American businesses, in May 2011, Senate Commerce Committee Chairman Jay Rockefeller wrote to then-SEC Chairman Mary Shapiro asking the SEC to develop and publish guidance to public companies on disclosure requirements concerning “information security risk, including material information breaches involving intellectual property or trade secrets.” In October 2011, the SEC Division of Corporate Finance issued guidance on the disclosure obligations of public companies regarding cybersecurity risks and cyber incidents. SEC, CF Disclosure Guidance, Topic No. 2: Cybersecurity (Oct. 13, 2011).
The guidance did not create any new disclosure obligations; rather, it explained how the staff of the SEC’s Division of Corporate Finance believes that existing disclosure requirements apply in the cybersecurity context. The staff cited the general duty to disclose material information concerning cyber risks or incidents when necessary to make other required disclosures, in light of the circumstances under which they are made, not misleading. The focus of the guidance, however, was on disclosure obligations potentially arising under various sections of Regulation S-K. The primary Regulation S-K items discussed in the Guidance were the following:
Risk factors—Item 503(c). The guidance advises that, in determining whether risk factor disclosure is required, companies must evaluate their cybersecurity risks considering all relevant information, including the severity and frequency of prior cyber incidents, the probability of cyber incidents, and the qualitative and quantitative magnitude of those risks, such as the potential costs resulting from theft of digital assets or operational disruption. If a company concludes that risk factor disclosure is necessary, the guidance advises companies to avoid generic disclosures that could apply to “any issuer.” Rather, depending on the circumstances, a company may have an obligation to
discuss aspects of the company’s business that give rise to material cybersecurity risks and the potential costs and consequences;
describe cyber incidents experienced by the company that individually, or in the aggregate, would be considered material, including a description of the costs and other consequences;
discuss risks related to cyber incidents that may remain otherwise undetected for an extended period; and
describe relevant insurance coverage.
As an example of required disclosure, the guidance states that if a company experienced a material cyberattack in which malware was embedded in its system and customer data was compromised, the company may need to discuss the specific attack and its known and potential costs and consequences as part of a broader discussion of similar attacks that pose a particular risk to the company. The staff reiterated, however, that although “boilerplate” disclosures should be avoided, a company is not required to disclose facts that could compromise its cybersecurity.
MD&A—Item 303. The guidance provides that a company may be required to address cyber risks and incidents in its Management’s Discussion and Analysis of Financial Condition and Results of Operation (MD&A) if a cyberattack or risk of cyberattack represents a material event, trend, or uncertainty and the effects of the event, trend, or uncertainty are likely to have a material effect on the company’s operational results, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. As an example, if material intellectual property is stolen in a cyberattack and the effects of the theft are reasonably likely to be material, the company should describe the stolen property and the effect or anticipated effect of the attack on its results of operations and financial condition, and discuss whether the attack would cause reported financial information not to be indicative of future operating or financial results.
Description of business—Item 101. The staff advises companies to disclose cyber incidents materially affecting a company’s products, services, and relationships with customers or suppliers, or its competitive conditions in the marketplace. As an example of disclosure obligations arising under item 101, the guidance states that if a company has a new product in development and learns of a cyber breach “that could materially impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.”
Legal proceedings—Item 103. A company may need to describe material legal proceedings arising from a cyber incident. For example, if customer data are stolen in a cyberattack and the theft results in material legal proceedings, the company should describe the proceedings and the factual basis underlying the allegations.
Disclosures under the Guidance
Although few companies immediately responded to the guidance in the months following its release, a review of the most recent annual statements reveals that almost all of the largest U.S. companies have provided at least some general disclosures relating to their cyber risks under the “Risk Factors” section. Some companies incorporate the cyber risk disclosures into general “operational” or “information technology” subheadings, while others devote a specific subheading to cyber risks and incidents. Nevertheless, even disclosures with distinct cyber risk subheadings frequently contain fairly generic discussions of how the company is facing increased and more sophisticated information technology security threats that could pose a risk to the company and its customers and suppliers. See, e.g., General Electric Co., Annual Report (Form 10-K for the fiscal year ending Dec. 31, 2012), at 18 (Feb. 26, 2013). Of the 100 largest U.S. companies, only 27 disclosed having been the target of cyberattacks. Christ Strohm, Eric Engleman & Dave Michaels, “Cyberattacks Abound Yet Companies Tell SEC Losses Are Few,” Bloomberg.com, Apr. 3, 2013. The majority of these disclosures consist of broad statements, such as “[o]ur computer systems have been, and will likely continue to be, subject to computer viruses or other malicious codes, unauthorized access, cyber-attacks or other computer-related penetrations.” MetLife, Inc., Annual Report (Form 10-K for the fiscal year ending Dec. 31, 2012), at 64 (Feb. 26, 2013). At the other end of the spectrum, banks, such as Bank of America Corp. and Citigroup, Inc., have provided much more detailed cyber risk and incident disclosures that are company- and industry-specific and even describe specific types of attacks (albeit in general terms). Of the 27 companies that disclosed having been the target of threats, 12 companies specifically stated that the cyberattacks had no material impact on the company (see Strohm, Engleman & Michaels, supra), although the other companies presumably reached the same conclusion by not including more detailed disclosures of specific incidents or costs associated with them.
Despite the growing number and detail of disclosures by public companies, pressure continues to mount on the SEC to do more. In April 2013, Senator Rockefeller wrote a letter to SEC Chairman Mary Jo White, expressing concern that “[w]hile the guidance has had a positive impact on the information available to investors on [cyberattacks], the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cyber security practices.” Senator Rockefeller asked Chairman White to issue more authoritative guidance to companies on disclosing risks and incidents of cyberattacks. Chairman White responded by letter on May 1, 2013, stating that she has asked the commission to evaluate current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary.
The Potential for Securities Enforcement Actions and Securities Litigation
While considering the necessity of more stringent, cyber-specific disclosure regulations, the SEC may decide to apply additional pressure on companies using its enforcement powers under existing disclosure requirements. For example, the SEC could initiate informal or formal investigations to obtain company records to assess whether the content and timing of a company’s disclosures were sufficient following a significant cyberattack. In formal investigations, the SEC is not timid about using its subpoena powers broadly and may seek significant amounts of data and records not only from the company itself but also from any cybersecurity firm hired by the company to respond to a cyberattack. Any administrative proceedings or civil enforcement actions pursued by the SEC relating to cyber disclosures would likely be similar to traditional securities fraud actions brought under section 17(a) of the Securities Act of 1933 and section 10(b) of the Securities Exchange Act of 1934 because no new disclosure obligations were created by the guidance.
Companies hit with significant cyberattacks may also be faced with securities class actions after the public disclosure of a breach causes a company’s stock price to fall precipitously. Although few companies have experienced significant stock price declines following disclosure of a cyberattack (many of such disclosures have been made pursuant to requirements under various state-promulgated data privacy laws), the impact on stock prices from cyber-breach disclosures in the future may not be trivial. This can be expected given the growing digitalization of commerce and assets, the increasing sophistication of cyber threats and actors, and the investing public’s rising awareness of the potential costs to companies that can result from such events. Although it is still unclear precisely how the legal landscape affecting public companies’ disclosure of cyber risks and incidents will evolve and what the resulting impact will be on securities litigation, securities litigators would do well to stay attuned to the rapidly developing world of cybersecurity, which will be a constant and growing risk to public companies in the future.
Copyright © 2013, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).