In the ever-evolving world of cyber crime, it’s important for corporate directors and officers to consider carefully the question of whether they should notify shareholders and potential shareholders of corporate cyber risk.
The Security and Exchange Commission (SEC) thinks that, in terms of public companies, cyber attacks and hacking attempts should be reported to shareholders in corporate 10K reports.
In a set of guidelines issued in October 2011, the SEC’s Division of Corporation Finance urged publicly traded companies to disclose Internet or other electronic threats to company networks and systems. According to an interpretation of the guidance by the Information Law Group, public companies are urged to disclose cyber threats based on whether those threats meet a general test of significance to investors.
The interpretation claims that a test of significance should take into account prior incidents, the probability and magnitude of future incidents, and measures taken by the company to minimize material damage from such cyber liability.
Even though the SEC’s statements were couched as a guidance, there are compelling reasons to heed the SEC’s advice from the standpoint of both management and business insurance.
First, neither public nor private companies can afford to ignore any longer the fact that cyber liability is a significant and relevant aspect of the operations of all firms. The SEC’s statement has given the issue status it did not have before by linking this kind of security to other security decisions made by all investors.
An article in The National Law Review pointed to the broad impact on corporate financial statements that comes from costs of risk prevention as well as the costs of an actual incident. Such costs may affect business relationships with customers or impair operating systems and even other resources like trademarks and patents. The way a company handles cyber risk and its costs can add to or diminish investor uncertainty.
Beyond operations, revenues can also be directly affected by cyber liability: investors expecting higher revenue performance will look directly to the decision patterns of corporate management. When revenues suffer from cyber attacks that management was unprepared for, investors could express their disappointment in the stock market. Unprepared management could be considered part of the investment risk factor that might even affect the success of an initial public offering.
Second, the SEC guidance addresses notifications that companies with hacked networks are required to make under a variety of federal and state laws. The question is whether investors should be notified after a breach, along with the actual owners of the data. The American Bar Association has warned that corporate officers and board members must consider whether failing to declare cyber risks violates disclosure rules like Securities Act Rule 408, Exchange Act Rule 12b-20, and Exchange Act Rule 14a-9, as well as anti-fraud rules like Exchange Act Section 10(b).
Despite the SEC’s publishing of this guidance in October, Reuters reported in early February 2012 that many public corporations are still not disclosing the material risk of cyber threats: Even though a full financial quarter had passed since the SEC statement came out, a number of firms (including prominent defense contractors and credit card processors) that are known to have been hacked have not complied with the guidance.
INSUREtrust recognizes the difficulty of complying with this SEC guidance since disclosing cyber threat can make companies appear more vulnerable than they think they are. However, we also believe that the decision to disclose ultimately rests in the duty of care that is the responsibility of directors and officers.
With the publishing of the SEC guidance, cyber liability has most definitely entered the corporate boardroom and adds to the company’s business insurance profile. Cyber liability lawsuits from employees and others will directly impact Director’s and Officer’s insurance coverage. Fortunately, cyber liability insurance is readily available and can be a central part of cyber risk management that eases this pressure on the directors and officers policy.