In his recently-published book, Cybersecurity for Executives: A Practical Guide, Retired Brigadier General Gregory Touhill, now Deputy Assistant Secretary at the Department of Homeland Security Office of Cybersecurity and Communications, offers the following quote from Congressman Mike Rogers, Chairman of the House Intelligence Committee, on the state of cybersecurity: “There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.” What makes the quote particularly interesting? It is from 2011 – long before the headlines regarding Target, Ebay, and Adobe. Not to mention the recently reported efforts of Russian and Chinese hackers. In light of all these events, the question arises “how concerned should directors and officers be about cybersecurity?” Most experts would respond, “very.”
In October 2011, the SEC Division of Corporate Finance issued its Disclosure Guidance on cybersecurity. The Guidance suggested several risk factor disclosures, including a discussion of material cybersecurity risks to a registrant’s business or operations, a description of cyber incidents experienced by the registrant, and a description of relevant insurance coverage. A report prepared by the insurance brokerage firm Willis in August 2013, based on a review of 10-Ks and annual reports filed by the Fortune 1000, suggested that companies were describing the possibly material risks to their businesses in broad terms, but were not adequately disclosing actual cyber events or their cyber-related insurance coverage. Notably, only a few months prior to the Willis report, SEC Chairman Mary Jo White asked her staff to brief her on current cybersecurity disclosure practices for publicly-listed companies, and to provide recommendations for further SEC action.
Significantly, in a speech delivered in June 2014 at the NYSE “Cyber Risks and the Boardroom” Conference, SEC Commissioner Luis Aguilar suggested one source of guidance for boards regarding cybersecurity. In February 2014, the National Institute of Standards and Technology (NIST), pursuant to an Executive Order from President Obama, released the first version of the Framework for Improving Critical Infrastructure. The NIST Framework is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks. In his speech at the NYSE conference, Commissioner Aguilar noted, “While the Framework is voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.” In concluding his speech, Commissioner Aguilar cautioned board members, “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.”
The obvious takeaway from all of the above is that directors and officers (and their counsel) need to remain closely attuned to both current and future guidance from the SEC both in terms of meeting their obligations to address their company’s own cybersecurity and with respect to their disclosure and reporting obligations regarding cybersecurity.
Finally, anyone interested in understanding the latest developments in cybersecurity, data breaches, privacy law, and related insurance issues should consider attending DRI’s inaugural Data Breach and Privacy Law Seminar in Chicago on September 11-12, 2014. For more information and to register, go to: http://www.dri.org/Event/20140065