Assessing U.S. Public Company Cyber Risk Disclosure Practices

 It has been nearly two years since the SEC Division of Corporate Finance issued its Disclosure Guidance on cybersecurity risks. During this period reporting companies have had the opportunity to incorporate disclosures in their reporting documents about the cybersecurity risks they face. To develop a picture of what companies are disclosing and what the disclosure suggests, the insurance brokerage firm Willis reviewed the cyber disclosures in the SEC filings of the Fortune 1000 companies. The August 2013 report based on that review can be found here.

As readers will recall, the SEC Division of Corporate Finance issued its Disclosure Guidance on cybersecurity in October 2011 (about which refer here). Among other things, the Guidance suggested that appropriate risk factor disclosures might include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

Willis reviewed the 10-Ks and annual reports of the Fortune 1000 companies in order to assess the extent of cyber risks and exposures identified and the steps being taken to reduce the risks and exposures. The firm also compared disclosure practices between the largest 500 companies with the Fortune 501-1000 companies.

Among many interesting things, the report notes that a large number of companies have chosen to remain silent in their filing documents about cybersecurity risks – the filings of 12% of the companies in the Fortune 500 contained no cyber disclosures and the filings of 22% of companies in the Fortune 501-1000 contained no cyber disclosure. On the other hand, the majority of companies in both groups reported either that cybersecurity risks could “impact” or “materially impact” their businesses, or that they could “materially harm” or “seriously harm” their businesses.

Though many companies are now disclosing their concerns about cybersecurity risks, few of the companies disclosed that they had in fact been the subject of an actual cyber event. Only 1% of the Fortune 1000 disclosed a cyber event in their reporting documents. As the Willis report notes, this is “a seemingly low number given the number of attacks that appear in the press on a regular basis.” The report notes further that none of the companies that disclosed actual attacks included the associated cost, even though the SEC’s Guidance requests the dollar costs of the attacks that have occurred.

The report groups the kinds of cybersecurity risks that reporting companies specifically identified, noting that the most frequently used terms to describe the cyber exposures facing companies include “privacy/use of confidential data” and “reputation risk.” Interestingly, given recent prominent publicity, relatively few companies identified either cyber terrorism (less than 20% overall) or loss of intellectual property  (less than 12% overall) as among the cybersecurity risks the companies face.

Even the SEC’s disclosure guidance specifically references the availability of insurance for cyber security exposures as among the appropriate topics for companies to address, only about 6% of reporting companies referenced insurance in their disclosures. The Willis report notes that based on the firm’s own informal survey of companies that many more companies purchase cyber insurance than the disclosure reports would suggest; for example, their survey of life and health insurance companies suggests that more that 60% of companies in that sector purchase cyber insurance, but only 1% of companies in that industry in the Fortune 1000 mentioned purchasing it in their SEC filings. The report observes that “many companies may be under-reporting insurance covering cyber-risks.”

The report interestingly analyzes by industry how different companies have characterized their cybersecurity risks, as well as the number and type of different kinds of cyber exposures the company faces and the loss control measures the companies have taken.

The SEC has not just received the companies’ filings, but, according to published accounts, the SEC has sent comment letters to approximately 50 companies asking them to supplement or amend their filings. As discussed here, the kinds of things on which the SEC has requested further elaboration include: that companies disclose whether data breaches have actually occurred and how the companies have responded to such breaches;  that cybersecurity risks should be broken out separately and stand alone from disclosure of other types of risks because of the distinct differences between the risk of cybersecurity attacks and the risk of other types of disasters or attacks; and for companies that have suffered cyber breaches, additional information regarding why the public company does not believe the attack is sufficiently material to warrant disclosure.

By focusing only on the companies large enough to be included in the Fortune 1000, the report does not include any analysis of smaller companies’ disclosure practices. Just the same, the report does note perceptible differences in reporting and disclosure between the companies in the Fortune 500 and the Fortune 501-1000, which suggests that a review of companies outside the Fortune 1000 would likely find that disclosures are even less robust.

However, regardless whether companies are larger or smaller, the SEC has made cyber disclosure remains a priority item for the SEC. Indeed, in May 2013, Mary Jo While, the SEC’s new Chairman reported that she had asked her staff to evaluate the SEC’s current guidance for cybersecurity exposures and to consider whether more stringent requirements are necessary.

The likelihood is that cybersecurity disclosures will remain a priority. The one area that seems likeliest to receive attention is the issue of disclosure of actual breaches. The low level of reported breaches that the Fortune 1000 disclosed: the focus on the issue in the SEC’s comment letters; and the importance of the issue to shareholders and other constituencies all suggest that this will be an area of continued focus and scrutiny.

As always whenever there are disclosure requirements, there is always room for allegations that the disclosures are misleading or incomplete. Whether or not plaintiffs’ attorneys target companies for their cybersecurity disclosures, there is the possibility that the SEC may target a company for its cybersecurity disclosures as a way to highlight the importance of the issue and as a way to encourage other companies to focus more on their cybersecurity risk disclosures.

While the way that all of this will play out remains to be seen, it seems likely that the issue of cybersecurity disclosure will only become more important in the months ahead.

Special thanks to Jim Devoe at Willis for sending me a copy of the report.

Read other items of interest from the world of directors & officers liability, with occasional commentary, at the D&O Diary, a blog by Kevin LaCroix.

For more information about LexisNexis products and solutions connect with us through our corporate site.