Hackers aren’t the only ones after company information. Earlier this week, Wills Fortune 500, a unit of Wills Group Holdings, a global insurance broker providing insurance and risk management services, made available its own report tracking the response by Fortune 500 companies to the SEC’s October 2011 guidelines for cybersecurity disclosures. The report’s key findings include that, as of April 2013, 85% of Fortune 500 companies were following the SEC guidelines and providing some level of disclosure of cyber exposures. However, close to 40% of the companies failed to provide details on the size of their exposure, stating only that the risk would have an impact on the company without further discussing the extent of the impact. As such, the report concluded that the question whether company disclosures rise to the level mandated by the SEC is debatable, given the paucity of information regarding the probability of incidents and their quantitative and qualitative magnitude.
In light of the findings of the Willis Fortune 500 report, it’s not surprising that SEC Chairman Mary Jo White had previously asked the Commission to evaluate compliance with current guidelines for cybersecurity disclosures, assemble a report on the general practice and compliance with the existing guidelines, and make recommendations for further guidance.
Following up on clues earlier this year that the SEC may increase its scrutiny of cybersecurity disclosures, SEC Chairman Mary Jo White has asked the Commission to evaluate current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary. White asked the Commission to assemble a report on general practice and compliance with existing guidelines, and to make recommendations for future guidance. White did not yet commit to changes to the current guidelines, issued in October 2011, pending issuance of the report.
Senator Jay Rockefeller, who disclosed the Chairman’s directive, has recently encouraged the SEC to provide further guidance on cybersecurity disclosures. He has already sponsored legislation in this arena, including the Cybersecurity Act of 2012, which would have pushed the private sector to share internal information within the industry and with government agencies. The proposed legislation in 2012 would have also encouraged the enactment of protective measures for computer networks. Senator Rockefeller has expressed concern about the lack of information regarding cybersecurity risks, and appears poised to push for additional disclosures. Read More
Cybersecurity may be the SEC’s newest area for enforcement actions. While the SEC first released Disclosure Guidance concerning cybersecurity in 2011, the recent media attention surrounding significant cybersecurity breaches at a number of U.S. companies may cause the SEC to renew interest in the issue, and may result in enforcement actions, as well as shareholder class actions and derivative lawsuits. Companies that fail to disclose cybersecurity events in their public filings may find themselves on the wrong end of an SEC investigation and enforcement action.
Companies may also see an increase in class actions where there is a significant stock drop following disclosure of a cybersecurity breach—however, to date, there is little evidence to suggest the market reacts in a negative way following disclosure of a cybersecurity breach, leaving questions about whether plaintiffs could prove materiality and causation in a securities fraud case. Finally, increased focus on cybersecurity disclosures may result in an increase in shareholder derivative actions against officers and directors, with shareholders alleging that the company breached their fiduciary duties by failing to ensure adequate security measures. Read More