Contemplating Corporate Disclosure Obligations Arising from Cybersecurity Breaches
Young, Sam, Journal of Corporation Law
I. INTRODUCTION II. BACKGROUND A. EMC Corporation and the RSA SecurID Token Hack B. Magnitude of the Threat to Corporations and Their Investors C. SEC Disclosure Requirements D. Senator Rockefeller's Letter E. SEC's October 2011 Disclosure Guidelines III. ANALYSIS A. Disclosure Obligations Under the Guidelines 1. Risk Factors 2. Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 3. Description of Business 4. Legal Proceedings 5. Financial Statement Disclosures 6. Disclosure Controls and Procedures B. Reaction to the Guidelines IV. RECOMMENDATION A. The SEC Should Adopt the Guidelines as Formal Rules B. The SEC Should Institute Dollar and Percentage of Assets Thresholds for Determining Materiality C. The SEC Should Develop an Optional Reporting System for Cyberattacked Public Companies V. CONCLUSION
In an age where business entities store and communicate valuable information pertaining to sales, planning, research and development, company finances, and intellectual property on their Internet-connected computer networks, it is not surprising that these computer networks have become the target of cyberattacks. (1) These cyberattacks range in complexity from simple denial-of-service attacks, which cause disruption to company websites but do not extract information, (2) to sophisticated attacks that can destroy--or appropriate--multimillion dollar investments. (3) Despite the negative impact that a major cybersecurity breach might have on a public company's investors, the Securities and Exchange Commission (SEC) does not currently have a formal rule or regulation explicitly requiring a public company to disclose a damaging cyberbreach to its investors. (4) However, in the wake of numerous high profile cyberattacks on corporations, the SEC recently issued guidelines advising companies that cyberattacks may require public disclosure in certain circumstances. (5)
Part II of this Note provides background information on pertinent cybersecurity and SEC disclosure issues, including those issues that most directly led to the SEC's issuance of its advisory disclosure guidelines. Next, Part III analyzes these guidelines in detail and presents potential areas of concern posed by their implementation. Part IV advises that the SEC should adopt these guidelines as formal rules. It also urges the SEC to supplement the guidelines with specific dollar and percentage of assets thresholds to assist a company in determining the materiality of a given cyberevent. It then proposes a new, optional reporting system to provide a recently attacked company with the ability to document its real-time responses to a cyberattack, including its decision making regarding its disclosure obligations. Finally, Part V summarizes this Author's recommendations, placing them in the modern cybersecurity and disclosure contexts.
According to a widely cited study, during the 12 months preceding June 2011, 90% of companies were the target of at least one cyberattack. (6) In 2010, "malicious" cyberattacks constituted 31% of all U.S. data breaches, with each breach costing the affected company an average of $7.2 million. (7) While some breaches may prove relatively harmless, others may damage a corporation's infrastructure, assets, and competitive advantage to a significant degree. (8) Many cyberattack victims are companies that take security very seriously; in fact, for some, "security" is their business. (9) Others, though not in the security business, are considered leaders in the information technology, computer networking, and Internet business fields. (10)
The resulting harms of a successful attack against such firms are not limited to information losses and mitigation expenses; the attacks may undermine the very reputations of the firms. …