There are three distinct aspects of cyber-security that should be addressed by directors: prevention, detection and, if a company is publicly traded, disclosure to the Securities and Exchange Commission. Part I of our posting addressed prevention and detection matters. This Part II addresses disclosures and some questions to consider.
Public disclosure of a security breach is not mandated by securities laws, although it may be required by other state or federal laws. The Securities and Exchange Commission said the following in 2011:
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. CF Disclosure Guidance: Topic No. 2, Division of Corporate Finance Securities and Exchange Commission, dated October 13, 2011.
However, in certain circumstances, a security breach may rise to the level of requiring disclosure as a risk factor. The Securities and Exchange Commission, Division of Corporation Finance issued a staff release detailing the SEC’s views on “cyber-incidents”. CF Disclosure Guidance: Topic No. 2, Division of Corporate Finance Securities and Exchange Commission, dated October 13, 2011.
The release states, among other things, that public companies should:
- Disclose known or threatened cyber incidents to place the discussion of cyber-security risks in context.
- Address cyber-security risks and cyber incidents in their Management’s Discussion and Analysis if the “costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”
While the SEC has not commented beyond this 2011 guidance, some commentators have observed that the SEC’s influence in cyber security is growing and that the SEC is likely to release additional cyber security regulation. John Mutch, Beware The Coming SEC Regulations On Cybersecurity, May 15, 2013.
Questions Directors Should Be Asking
Directors should tailor their approach to cyber security to fit the size of their company and the risk profile of their company’s industry. As a starting point, directors should ask the following questions:
- How is the company ensuring that the policies and procedures are followed?
- What is the threshold for notifying the board of a security breach?
- What is the threshold for notifying management of a security breach?
- How does the management and the board stay abreast of company-level and industry-level security concerns?
- Does the company have adequate business liability insurance in the event of a security breach?
- Does the company have adequate monitoring in place to measure and quantify a security breach?
- Does the company have sufficient backup procedures?
- Who internally and who externally are responsible for the integrity of the systems, networks and data contained therein?
- Do the company’s cyber security policies employ industry standards and best practices?
- Have the company’s cyber security procedures and policies been audited by a third party for vulnerabilities?
- What state and federal laws are applicable to the company in the event of a security breach?
- Does the company have outside counsel available in the event of a security breach?