Opening the cyber-kimono

Aug 20, 2014
<p>Corporations need to take action against cyber-attacks, but regulators aren't helping</p>

The  high-profile hackings of Target and Wyndham Worldwide have spurred lawsuits against corporate officers and directors, regulatory investigations and congressional hearings. These data breaches constitute yet another warning 
to corporate America that 
cyber-crime isn’t just an IT 
issue and that it certainly demands the attention of 
business leaders.

The aftermath of these 
hackings should be a teachable moment. Aside from the government investigations, 140 separate civil lawsuits have been filed as a result of the Target hacking, including several shareholder derivative actions against the company’s board members and directors, alleging that they ignored ‘red flags’ concerning 
the security of the customer 
information, and singularly failed to implement ‘any internal 
controls… designed to detect and prevent such a data breach.’

The litigation against Wyndham’s officers and directors makes similar allegations, charging that they, too, failed to ‘ensure the company... implemented 
adequate information security policies and procedures.’

While C-suites and boards 
of directors get to grips with 
this new cyber-reality and their relevant legal duties, a recent PwC report finds that the 
cyber-security programs of US firms do not rival ‘the persistence and technological prowess of their cyber-adversaries.’

While it might seem obvious that companies would consider nearly any significant cyber-attack a material event that requires proper disclosure, the reality 
is that the legal and 
regulatory implications of attacks are murky. In 2011 the SEC issued ‘guidance’ to companies on when to disclose a cyber-incident to investors. But the SEC’s 
guidance is just that – guidance. It is not a rule or regulation, nor is it mandatory. It also leaves many details to the discretion of individual companies.

The guidance explains that federal securities laws are designed to ensure the disclosure of ‘timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision.

‘Although no existing disclosure requirement explicitly refers to cyber-security risks and 
cyber-incidents, a number of 
disclosure requirements may impose an obligation on registrants to disclose such risks and incidents,’ the SEC guidance continues.

Reluctant disclosure

Companies have remained reluctant to mention cyber-security in their public filings, however, even while the number of companies reporting concerns about 
cyber-security has more than doubled in the past two years. Companies including Google, AIG and Quest Diagnostics have all ultimately filed revised cyber-security disclosures after being chided by the SEC for not doing so.

Still, many companies continue to refrain from disclosing data breaches or provide only vague disclosures. This is because 
disclosures can undermine a 
company’s cyber-security efforts or jeopardize an ongoing law enforcement investigation. The SEC itself acknowledges that 
providing too much detail could create a ‘road map’ for infiltrators.

Other difficult questions remain. Should the SEC adopt a regulation giving corporations 
a pass from public disclosure 
obligations if they refer the matter to law enforcement? Such a rule could easily be abused. A 
corporation’s concerns over legal liability and protecting its reputation and stock price already create powerful incentives not to go 
public. It could prove irresistible for a victim corporation to make a half-hearted referral to law enforcement as a fig leaf to avoid an embarrassing – and potentially devastating – disclosure.

Furthermore, once a disclosure to law enforcement has been  made, the company will likely get little information about the 
status or progress of any 
investigation. Can a company 
that reports an attack to law enforcement, and then hears 
nothing back for weeks or months, continue to keep information about the attack from its investors?


At an SEC roundtable on 
cyber-security in March 2014, participants debated whether the SEC should transform its 
guidance into rules to provide 
corporations with more certainty as to what is expected of them when faced with a cyber-attack.
In any case, a regulatory slap on the wrist is just the start; the potential legal liability for a 
company, its executives and its board is staggering. Lawyers and regulators may begin sharpening their knives to seize upon any organization that has not taken adequate measures to shore up – and communicate about – its 
digital infrastructure.

There are no easy answers, but there are several things that should happen immediately:

1. The SEC must step up with guidance that is more direct and detailed, and which takes into account the significant 
competing interests companies face, especially if public disclosure would jeopardize ongoing law enforcement efforts or expose 
critical vulnerabilities. If the 
federal government is going to embark on a high-profile cyber-campaign, it must give businesses clear direction and guidance.

2. Regardless of regulatory guidance, corporations need to get specific with their cyber-security preparedness – not only to protect themselves against attack, but also to help them defend against lawsuits. Directors and officers need to ask – and disclose in their public filings when appropriate to do so – key questions about cyber-security protocols in place, including:

  • Is there a board committee or board member with the requisite background and experience to oversee cyber-risks?
  • Is it prudent for the board to retain a cyber-security consultant or adviser to assist in asking questions of management and the IT department?
  • What are the greatest cyber-risks to the company? How often are those risks reassessed?
  • How should the board receive its cyber-briefings?
  • Is there an appropriate 
cyber-incident response plan in place at the company? Does it include a specific media and public relations plan and outreach to all key constituents including 
clients, vendors, customers, law enforcement, regulators and shareholders? How often is this plan rehearsed? How often is it reviewed and/or updated?</li>

3. Corporate secretaries should start keeping 
appropriate records of the board’s process in cyber-security matters.

4. Consider whether cyber-insurance makes sense. More and more companies are purchasing it: according to Betterley Risk Consultants, total cyber-insurance premiums paid last year were $1.3 billion, 
compared with $1 billion in 2012. Somewhat surprisingly, the majority of cyber-insurance 
policies were issued to small and mid-sized companies.

The solution is not simple. Just having the best technology in place isn’t enough – companies must adopt and articulate clear policies that outline the steps taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors, address and explain their insurance coverage, and specify the frequency with which security policies are updated.

It’s been almost two years since former defense secretary Leon Panetta invoked the 
specter of a ‘cyber-Pearl Harbor’ 
in describing the threat of 
cyber-attacks on US businesses and institutions. Since then, cyber-attacks against US 
corporations have grown in 
frequency and intensity – and it’s time the responses did as well.

Craig Newman is managing partner of law firm Ricghards Kibbe & Orbe and chief executive officer of the non-profit Freedom2Connect Foundation.

Sign up to get stories direct to your inbox
Cs logo Cs logo