I am sure many readers were disturbed as I was by the February
19, 2012 New York Times article reporting that a Chinese army unit
apparently has been executing a concentrated cyber-hacking program
targeting U.S. companies and critical U.S. infrastructure. (The report of
consulting firm Mandiant that was the basis of the Times article can be found here.) This story is part of a
rising tide of media reports about cybersecurity risks. Indeed, concerns about
these kinds of activities led President Obama's February 12, 2013 Executive
Order entitled "Improving Critical Infrastructure Cybersecurity" (here).
Although the recent disclosures are quite troubling, it
is not news that cybersecurity risks represent a significant concern for just
about every company involved in the current economy. Prior posts on this site
(for example, here)
have detailed the liability exposures that these risks represent for all of
these companies and for their directors and officers. But while these issues
are not new, it really seems that as we have headed into 2013, the volume on
these issues has been turned up.. It now seems clear that cybersecurity is
going to be one of the hot button issues for the foreseeable future, both in
the media and for the affected companies.
The heightened scrutiny of cybersecurity issues has a
number of important implications for potentially affected companies, and not
just from an operational standpoint. These developments also have important
implications for public company's public disclosure statements, and, as a
consequence, for the company's potential regulatory and litigation exposures.
Indeed, according to a February 21, 2013 memo from the
King & Spaulding law firm entitled "Cybersecurity: The New Big Wave in
Securities Litigation?" (here),
"it is likely that this issue will continue to gain momentum among both
government regulators and opportunistic plaintiff lawyers seeking to catch the
next wave of shareholder litigation." In particular, the failure to promptly
disclose a cyber breach "may put a company at risk of facing formal SEC
investigations, shareholder class actions, or derivative lawsuits."
As the memo notes, the SEC "has already taken a firm
stand on cybersecurity disclosures, and clearly views this issue as ripe for
enforcement actions." In October 2011, the SEC's Division of Corporate Finance
issued "Disclosure
Guidance" on cybersecurity related issues. Among other things, the Guidance
clarified that the agency expects companies to disclose the risk of cyber
incidents among their "risk factors" in their periodic filings and also expects
companies to disclose material cybersecurity breaches in their Management
Discussion and Analysis.
The law firm memo notes that so far, the SEC's Guidance
"seems to have had little impact on corporate disclosure," and that in many
instances companies experiencing cyber breaches are "choosing to keep those
events confidential." However, "given the increasing awareness of this hot
issue," it seems "likely" that the SEC "will increase pressure on companies to
disclose such events." The memo adds that "companies that have experienced
significant cybersecurity breaches should prepare themselves for potential SEC
investigations and lawsuits."
In addition to the risk of SEC enforcement action,
companies experiencing cyber breaches also face the possibility of a securities
class action lawsuit. However, the memo notes, a company experiencing a cyber
breach "will likely not be a target of a securities class action unless the
disclosure of the breach can be linked to a statistically significant drop in
the company's share price." In that respect, it is worth noting that several
high profile companies announcing cyber breaches have not experienced a significant
drop in their stock price following the announcement. (For example, recent
announcements by Facebook, Apple and Microsoft that they have been the target
of sophisticated cyber attacks did not affect the companies' share prices.)
Nevertheless, it seems likely that at least some companies experiencing cyber
breaches or subject to cyber attacks will also suffer a drop in their share
price, and "thus result in securities class action litigation."
Companies that do not experience a share price decline
following a cybersecurity incident may not get hit with securities class action
litigation, but they are still susceptible to derivative lawsuits alleging, for
example, that company directors breached their fiduciary duties by failing to
ensure adequate security measures. As the law firm memo notes, shareholder may
claim that senior management and directors "were either aware of or should have
been aware of the breach and the company's susceptibility to hacking
incidents." Of course, any lawsuit of this type would face significant hurdles,
including the requirement to make a formal demand on the board as well as the
business judgment rule.
In any event, it is clear that cybersecurity issues are
going to be an increasing source of scrutiny for companies and their senior
officials. This heightened scrutiny not only means that companies will be under
pressure to take steps to ensure that their networks and information are
secure, but also means that the companies will face pressure both to "disclose
the risks associated with potential cybersecurity breaches and provide timely
updates when actual breaches occur." Companies that fall short on these
disclosure expectations "will face a substantial risk of regulatory scrutiny
and shareholder litigation."
As Rick Bortnick of the Cozen O'Connor firm discussed in
a prior guest post on this site (here),
cyber security disclosures have already been the source of securities class
action litigation, in the
high profile case involving Heartland Payment Systems. Although that case
was dismissed, Bortnick points out how different the circumstances and
disclosures involved in that case might look if viewed through the prism of the
SEC"s 2011 Disclosure Guidance.
Among other implications from these developments is that
cybersecurity disclosure seems likely to be the subject of greatly increased
scrutiny, suggesting that this disclosure - particularly precautionary
disclosure forewarning investors of the possible adverse effects the company
could expect in the event of a serious cyber attack - should become a priority
for reporting companies.
Finally, these developments and the possible regulatory
and litigation implications underscore the fact that cybersecurity exposures
represent an important issue to be addressed as part of every company's
corporate insurance program. Indeed, the SEC itself considered the question of
insurance for cybersecurity exposures to represent such a critical issue that,
in its Disclosure Guidance, it specifically identified the insurance issue as
one of the topics companies should address in their disclosure of cybersecurity
issues.
The insurance issues related to cybersecurity include not
only the question of whether companies should acquire dedicated cyber and
network security insurance, but also includes the question of the protection
available to the companies' senior officials under their management liability
insurance policies. The rapidly evolving nature of these issues and the related
liability exposures underscores the importance for all companies to have a
knowledgeable and experienced insurance professional involved in the design and
implementation of their corporate insurance program.
Readers interested in the President's recent Executive
Order and its potential implications will want to take a look at the February
2012 article written by Lockton's Bill Boeck entitled "Cybersecurity Executive
Order: What We Know and What We Don't Know" (here).
Those who are interested in the implications of these
developments for corporate directors will want to review the recent guest post
on this site by D&O maven Dan Bailey entitled "Cyber Risks: New Focus for
Directors" (here).
Classic Rock Notes::In
its February
23, 2013 review of new autobiography of record industry executive Clive
Davis, the Wall Street Journal describes a critical incident that led
Davis to become one of the recording industry's most successful rock music
producers. In June 1967, Davis attended the Monterey Pop Music festival, where
he heard Janis Joplin deliver a version of Big Mama Thornton's "Ball and
Chain." Davis described the event as "not merely one of Janis's greatest
moments onstage, but one of the classic performances in rock history. It was
simply overwhelming." Joplin was, according to Davis, "hypnotic" and
"mesmermizing." Davis says he thought on seeing her performance, "This is a
social and musical revolution."
Davis wasn't exaggerating. Even in the grainy Internet
video, Joplin's performance will give you goosebumps. Crank up the volume on
your computer and enjoy (watch for the cutaway shot of Mama Cass Elliot
regarding Joplin in slackjawed amazement).
Read
other items of interest from the world of directors & officers liability,
with occasional commentary, at the D&O Diary, a blog by Kevin LaCroix.
For more information about LexisNexis
products and solutions connect with us through our corporate site.