This market trends article identifies comprehensive disclosures related to cybersecurity risks, including discussions about the potential reputational, financial, or operational harm resulting from cybersecurity breaches; the potential associated litigation or regulatory costs; and their policies and procedures addressing cybersecurity incidents, and concludes with practical advice on preparing the required disclosures regarding cybersecurity risks and incidents. The company name, its industry, and the type of filing are also provided in each sample disclosure for reference.
On October 16, 2018, the Securities and Exchange Commission (SEC) released a report of investigation pursuant to Section 21(a) of the Securities Exchange Act of 1934 (the Exchange Act) detailing its investigation of several public companies that were victims of cybersecurity related frauds. While the SEC decided not to pursue enforcement actions against these companies, it emphasized the duty of a public company to comply with the requirements of Section 13(b)(2)(B) of the Exchange Act to devise and maintain a sufficient system of internal accounting controls. On December 6, 2018, in his speech, the SEC Chairman Jay Clayton highlighted cybersecurity risks as one of the prominent challenges the SEC faces. Chairman Clayton reiterated the SEC's statement and interpretive guidance regarding disclosures on cybersecurity risks and incidents (2018 guidance) issued earlier in 2018.
Under the 2018 guidance, public companies are required to disclose cybersecurity risks and cyber incidents to the extent that these are material. In evaluating whether cybersecurity risks or incidents are material, a public company should consider, among other things, the nature and magnitude of cybersecurity risks or prior incidents; the actual or potential harms of a breach to the company's reputation, financial condition, or business operation; the legal and regulatory requirements to which the company is subject; the costs associated with cybersecurity protection, including preventative measures and insurance; and the costs associated with cybersecurity incidents, including remedial measures, investigations, responding to regulatory actions, and addressing litigation.
Once cybersecurity risks and incidents are determined to be material, a public company should provide complete and accurate information in its periodic reports regarding these risks, incidents, and related investigations or litigations.
Public companies generally include cybersecurity related disclosures in the following sections of their offering materials and periodic reports: Risk Factors, Business, and Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A). To date, most of the disclosures related to cybersecurity risks and incidents tend to be quite general in nature. On the other hand, there are a growing number of companies that provide disclosures that are more comprehensive and particularized, with discussions about the potential reputational, financial, or operational harm resulting from cybersecurity breaches, the potential associated litigation or regulatory costs, and their policies and procedures addressing cybersecurity incidents.
For further information on public company disclosure in general, see Public Company Periodic Reporting and Disclosure Obligations and Periodic and Current Reporting Resource Kit.
Risk Factor Disclosures
Item 503(c) (17 C.F.R. § 229.503) of Regulation S-K requires that a company describe the material risks that impact the company's business, results of operations, and future prospects, as well as material risks that make an investment in the offered securities speculative or risky, in the case of an offering document. For further information, see Market Trends 2016/17: Risk Factors, Top 10 Practice Tips: Risk Factors, and Risk Factor Drafting for a Registration Statement. The disclosures should be in plain English and should not be generic. For further information on plain English, see Top 10 Practice Tips: Drafting a Registration Statement and Glossaries in Prospectuses and Annual Reports — Background. A majority of companies choose to disclose cybersecurity risks in the Risk Factor section. The nature of the disclosures varies by company, but companies that have a strong e-commerce presence or that that have experienced a security breach typically provide disclosure with particularity. Companies that are subject to industry regulations on cybersecurity, such as financial service companies, may want to enhance their disclosures by discussing the relevant regulatory development on cybersecurity. When cybersecurity incidents become known, companies typically disclose the incidents together with remedial actions, estimated losses, and other consequences, such as litigation and regulatory action associated with the incidents. For a further discussion on cybersecurity disclosure, see Media & Entertainment Industry Practice Guide — Regulatory Trends. Set forth below are some examples of cybersecurity disclosures in the Risk Factor section.
General Disclosure on Cybersecurity Risks
- "Operational risks,
including cybersecurity risks, may disrupt our businesses, result
in losses or limit our growth."
In addition, our systems face ongoing cybersecurity threats and attacks. Attacks on our systems could involve, and in some instances have in the past involved, attempts intended to obtain unauthorized access to our proprietary information, destroy data or disable, degrade or sabotage our systems, including through the introduction of computer viruses, 'phishing' attempts and other forms of social engineering. Cyberattacks and other security threats could originate from a wide variety of sources, including cyber criminals, nation state hackers, hacktivists and other outside parties. There has been an increase in the frequency and sophistication of the cyber and security threats we face, with attacks ranging from those common to businesses generally to those that are more advanced and persistent, which may target us because, as an alternative asset management firm, we hold a significant amount of confidential and sensitive information about our investors, our portfolio companies and potential investments. As a result, we may face a heightened risk of a security breach or disruption with respect to this information. If successful, these types of attacks on our network or other systems could have a material adverse effect on our business and results of operations, due to, among other things, the loss of investor or proprietary data, interruptions or delays in our business and damage to our reputation. There can be no assurance that measures we take to ensure the integrity of our systems will provide protection, especially because cyberattack techniques used change frequently or are not recognized until successful. If our systems are compromised, do not operate properly or are disabled, or we fail to provide the appropriate regulatory or other notifications in a timely manner, we could suffer financial loss, a disruption of our businesses, liability to our investment funds and fund investors, regulatory intervention or reputational damage.
In addition, we operate in businesses that are highly dependent on information systems and technology. The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. In addition, cybersecurity has become a top priority for regulators around the world. Many jurisdictions in which we operate have laws and regulations relating to data privacy, cybersecurity and protection of personal information, including the General Data Protection Regulation in the European Union that went into effect in May 2018. Some jurisdictions have also enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data. Breaches in security could potentially jeopardize our, our employees' or our fund investors' or counterparties' confidential and other information processed and stored in, and transmitted through, our computer systems and networks, or otherwise cause interruptions or malfunctions in our, our employees', our fund investors', our counterparties' or third parties' operations, which could result in significant losses, increased costs, disruption of our business, liability to our fund investors and other counterparties, regulatory intervention or reputational damage. Furthermore, if we fail to comply with the relevant laws and regulations, it could result in regulatory investigations and penalties, which could lead to negative publicity and may cause our fund investors and clients to lose confidence in the effectiveness of our security measures." Blackstone Group L.P., 10-K filed March 1, 2019 (SIC 6282—Investment Advice)
Disclosures for Companies That Have a Strong E-commerce Presence
- "Our business is subject
to online security risks, including security breaches and cyber
Our businesses involve the storage and transmission of users' personal financial information . . . The techniques used to obtain unauthorized access, disable, or degrade service, or sabotage systems, change frequently, may be difficult to detect for a long time, and often are not recognized until launched against a target. Certain efforts may be state sponsored and supported by significant financial and technological resources and therefore may be even more difficult to detect. As a result, we may be unable to anticipate these techniques or to implement adequate preventative measures. Unauthorized parties may also attempt to gain access to our systems or facilities through various means, including hacking into our systems or facilities, fraud, trickery or other means of deceiving our employees, contractors and temporary staff. A party that is able to circumvent our security measures could misappropriate our or our users' personal information, cause interruption or degradations in our operations, damage our computers or those of our users, or otherwise damage our reputation . . . Our information technology and infrastructure may be vulnerable to cyberattacks or security incidents and third parties may be able to access our users' proprietary information and payment card data that are stored on or accessible through our systems. Any security breach at a company providing services to us or our users could have similar effects.
We may also need to expend significant additional resources to protect against security breaches or to redress problems caused by breaches. These issues are likely to become more difficult and costly as we expand the number of markets where we operate. Additionally, our insurance policies carry low coverage limits, which may not be adequate to reimburse us for losses caused by security breaches and we may not be able to fully collect, if at all, under these insurance policies." eBay Inc., Form 10-K filed January 30, 2019 (SIC 7389 Services— Business Services)
- "The Online Nature of
Our Company's Operations Exposes the Company to Additional
Cyber security Risks."
The Company is heavily engaged in Blockchain mining and the development of a planned digital currency exchange, all of which are inherently dependent on and exposed to the internet. Accordingly, hacking and unauthorized access to the Company's internal systems poses a substantial threat. The Company, through its platform, RiotX, anticipates the use of multiple digital wallets to secure customer assets. These digital wallets will have policy controls that require multiple approvals, spending limits and whitelists for transactions. The Company's digital wallet provider is anticipated to also support multi-signature, threekey management which removes any single point of failure and advanced security configurations ensure that assets are secure as they move in and out of the digital wallet. By employing multiple independent digital wallets, the Company plans to implement several failsafes against a potential breach, such as; assets in a given wallet are completely segregated from assets in another wallet, except for access by the authorized user(s). Furthermore, the Company is presently in discussions with third-party providers for custodial services of customer assets exchanged on its planned RiotX digital currency exchange. The Company will have a qualified third-party custodian to secure customer digital assets in keeping with industry rules and best practices. No system is totally secure and even the most sophisticated systems face the risk of unauthorized access and asset seizure. Digital currency keys which provide access to digital wallets and the digital currencies contained therein, are the most likely and vital assets
for an attack, and the Company has taken or plans to take appropriate action to abrogate such risk as much as possible. An unauthorized user with access to the Company's digital keys could conceivably transfer all of the Company's digital currency assets and the Company would have limited ability to recover such stolen assets. To protect against this risk, the Company intends to employ a 95% 'cold storage' policy for all digital currencies exchanged on RiotX. Cold Storage assets are air-gapped to the internet providing an additional layer of security, meaning that a potential unauthorized online penetration of RiotX or its vendors would not be able to impact the offline digital currency keys. Despite these safeguards, there is still risk of loss or theft of digital currencies or access to the planned exchange due to the prevalence of ransomware, DDOS, and other malware/ hacking attacks which pervade the internet. A successful hacking operation of the Company or its planned exchange could result in substantial impacts on the financial and business operations of the Company." Riot Blockchain, Inc., Form 10-Q/A filed March 6, 2019 (SIC 2835— In Vitro & In Vivo Diagnostic substances)
- "Any failure by us to
protect the confidential information of our customers and
employees, and our networks against security breaches and the risks
associated with credit card fraud could damage our reputation and
brands and substantially harm our business and results of
A significant prerequisite to e-commerce and communications is the secure transmission of confidential information over public networks . . . Even though we do not store customer credit cards on our computer system and use third-party systems to clear transactions, in case of an outage to a third-party system, we will temporarily store and bill our customers' credit card accounts directly; orders are then shipped to a customer's address and customers log on using their email address. We rely on encryption and authentication technologies licensed from third parties to affect the secure transmission of confidential information, including credit card numbers . . . In addition, any party who is able to illicitly obtain a user's password could access the user's transaction data, personal information or stored images. In addition to these threats, the security, integrity, and availability of our customers' and employees' data, including student photos, could be compromised by employee negligence, error or malfeasance, and technology defects. For example, due to the current status of Lifetouch's customer contact processes, there is risk of providing photo access to the wrong customer, which could lead to loss of business with school districts and lead to brand reputation damage.
Our expanded use of cloud-based services could also increase the risk of security breaches as cyberattacks on cloud environments are increasing to almost the same level as attacks on traditional information technology systems. For example, in 2014, we experienced a cyberattack on our Tiny Prints, Treat and Wedding Paper Divas websites, which may have exposed the email addresses and encrypted passwords used by our customers to login to their accounts. We encrypt customer credit and debit card information, and we have no evidence that such information was compromised; however, any compromise of our security could damage our reputation and brands and expose us to a risk of loss or litigation and potential liability, which would substantially harm our business and results of operations. In addition, anyone who can circumvent our security measures could misappropriate proprietary information or cause interruptions in our operations. We may need to devote significant resources to protect against security breaches or to address problems caused by breaches. Additionally, in 2018, we discovered that there had been unauthorized access to an internal testing environment, which could have resulted in exposure of employee confidential data. Although we discovered no evidence to indicate exposure of this data, we cannot determine that it did not occur; while we have taken remediation and precautionary measures to prevent this type of situation from occurring again, we cannot guarantee that these measures [sic] will be effective." Shutterfly, Inc., Form 10-K filed March 1, 2019 (SIC 7384 Services— Photofinishing Laboratories)
Disclosures on Intersection of Cybersecurity and Data Privacy
- "We are subject to
cybersecurity risks that could negatively impact our business
We are dependent upon our information technology platform, including our processing systems, data and electronic transmissions in our business operations [. . .] The NAIC has adopted an Insurance Data Security Model Law, which, when adopted by the states will require insurers, insurance producers and other entities required to be licensed under state insurance laws to comply with certain requirements under state insurance laws, such as developing and maintaining a written information security program, conducting risk assessments and overseeing the
data security practices of third-party vendors. In addition, certain state insurance regulators are developing or have developed regulations that may impose regulatory requirements relating to cybersecurity on insurance and reinsurance companies (potentially including insurance and reinsurance companies that are not domiciled, but are licensed, in the relevant state). For example, the New York State Department of Financial Services has adopted a regulation pertaining to cybersecurity for all banking and insurance entities under its jurisdiction, effective as of March 1, 2017, which applies to us. We cannot predict the impact these laws and regulations will have on our business, financial condition or results of operations, but our insurance and reinsurance companies could incur additional costs resulting from compliance with such laws and regulations." Everest Reinsurance Holdings Inc. Form 10-K filed April 1, 2019 (SIC 6331— Fire, Marine & Casualty Insurance )
- "We are exposed to risks
related to cybersecurity threats and general information security
incidents which may also expose us to liability under data
protection laws including the GDPR."
Cybersecurity incidents may result in business disruption, the misappropriation, corruption or loss of confidential information (including personally identifiable information) and critical data (ours or that of third parties), reputational damage, litigation with third parties, regulatory fines, diminution in the value of our investment in research and development and data privacy issues and increased information security protection and remediation costs. As these cybersecurity threats, and government and regulatory oversight of associated risks continue to evolve, we may be required to expend additional resources to remediate, enhance or expand upon the cybersecurity protection and security measures we currently maintain. For example, we are subject to the European Union's General Data Protection Regulation (GDPR), which became enforceable from May 25, 2018. The GDPR introduced a number of new obligations for subject companies resulting in the need to continue dedicating financial resources and management time to GDPR compliance. While we have taken steps to ensure compliance with the GDPR, there can be no assurance that the measures we have taken will be successful in preventing an incident, including a cybersecurity incident or other data breach, which results in a breach of the GDPR. Individuals who have suffered damage as a result of a subject company's noncompliance with the GDPR also have the right to seek compensation from such a company. Future cybersecurity breaches, general information security incidents, further increases in data protection costs or failure to comply with relevant legal obligations regarding protection of data could therefore have a material adverse effect on our results of operations, financial position and cash flows." MYOS RENS Technology Inc. Form 10-K filed March 27, 2019 (SIC 2834—Pharmaceutical Preparations)
Cybersecurity Disclosures Relating to Actual or Known Breaches and Litigation in Connection with the Breaches
- "Security breaches and
improper access to or disclosure of our data or user data, or other
hacking and phishing attacks on our systems, could harm our
reputation and adversely affect our business."
For example, in September 2018, we announced our discovery of a third-party cyberattack that exploited a vulnerability in Facebook's code to steal user access tokens, which were then used to access certain profile information from approximately 29 million user accounts on Facebook. While we took steps to remediate the attack, including fixing the vulnerability, resetting user access tokens and notifying affected users, we may discover and announce additional developments, which could further erode confidence in our brand. In addition, the events surrounding this cyberattack became the subject of Irish Data Protection Commission, U.S. Federal Trade Commission and other government inquiries in the United States, Europe, and other jurisdictions. Any such inquiries could subject us to substantial fines and costs, require us to change our business practices, divert resources and the attention of management from our business, or adversely affect our business.
[. . .] we are currently the subject of multiple putative class action suits in connection with [. . .] a third-party cyberattack that exploited a vulnerability in Facebook's code to steal user access tokens and access certain profile information from user accounts on Facebook." Facebook Inc., Form 10-K filed January 31, 2019 (SIC 7389—Services—Computer Programming, Data Processing, Etc.)
- "We face significant
cyber and data security risk that could result in the disclosure of
confidential information, adversely affect our business or
reputation and expose us to significant
In July 2017, we incurred a loss of approximately $172 thousand due to fraudulent wire transactions. These fraudulent wire transactions were the result of an email phishing scheme that targeted various employees of the Bank and led to an internal email compromise, affording the perpetrators access to personal information of a number of the Bank's customers. We took immediate action to contain and eradicate the email compromise, including the implementation of control enhancements to prevent a similar situation from occurring again. We believe this was an isolated event and do not believe our technology systems have been compromised. While we have not experienced any material losses relating to cyberattacks or other information security breaches such as the one that occurred in July 2017, we have been the subject of a successful hacking and cyberattack and there can be no assurance that we will not suffer additional losses in the future related to this event or others.
The occurrence of any cyberattack or information security breach, such as the one that occurred in July 2017, could result in material adverse consequences to us including damage to our reputation and the loss of customers. We also could face litigation or additional regulatory scrutiny. Litigation or regulatory actions in turn could lead to significant liability or other sanctions, including fines and penalties or reimbursement of customers adversely affected by this security breach. Even if we do not suffer any material adverse consequences as a result of the event that occurred in July 2017 or as a result of other future events, successful attacks or systems failures at the Bank or at other financial institutions could lead to a general loss of customer confidence in financial institutions including the Bank.
Our ability to mitigate the adverse consequences of occurrences (such as the one in July 2017) is in part dependent on the quality of our information security procedures and contracts and our ability to anticipate the timing and nature of any such event that occurs. In recent years, we have incurred significant expense towards improving the reliability of our systems and their security from attack. Nonetheless, there remains the risk that we may be materially harmed by this cyberattack and information security breach or others in the future. Methods used to attack information systems change frequently (with generally increasing sophistication), often are not recognized until launched against a target, may be supported by foreign governments or other wellfinanced entities, and may originate from less regulated and remote areas around the world. As a result, we may be unable to address these methods in advance of attacks, including by implementing adequate preventive measures. If such an attack or breach does occur again, we might not be able to fix it timely or adequately. To the extent that such an attack or breach relates to products or services provided by others, we seek to engage in due diligence and monitoring to limit the risk. In addition, as the regulatory environment related to information security, data collection and use, and privacy becomes increasingly rigorous, with new and constantly changing requirements applicable to our business, compliance with those requirements could also result in additional costs." Southern National Bancorp of Virginia, Inc. 10-K filed March 15, 2019 (SIC 6022—State Commercial Banks)
- "Security breaches like
the 2017 cybersecurity incident and other disruptions to our
information technology infrastructure could compromise Company,
consumer and customer information, interfere with our operations,
cause us to incur significant costs for remediation and enhancement
of our IT systems and expose us to legal liability, all of which
could have a substantial negative impact on our business and
[. . .] In 2017, we were the target of a cybersecurity attack that involved the theft of certain personally identifiable information of approximately 145.5 million U.S. consumers, approximately 19,000 Canadian consumers and approximately 860,000 UK consumers. In addition, we identified approximately 2.4 million U.S. consumers whose name and partial driver's license information were stolen in the attack. While the forensic analysis of the 2017 cybersecurity incident is complete, it is possible that further analysis will identify additional consumers affected or additional types of data accessed, which could result in additional notifications and negative publicity.
Following the 2017 cybersecurity incident, we began undertaking significant remediation efforts and other steps to enhance our data security infrastructure which are ongoing. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. Despite these efforts, we cannot assure you that all potential causes of this incident have been identified and remediated and that similar cyber incidents will not occur in the future." Equifax Inc., Form 10-K filed February 21, 2019 (SIC 7320 Services—Consumer Credit Reporting, Collection Agencies)
- "The government
investigations and litigation resulting from the 2017 cybersecurity
incident will continue to adversely impact our business and results
As a result of the 2017 cybersecurity incident, we are currently a party to a consolidated multidistrict consumer class action lawsuit and a consolidated multidistrict financial institution class action lawsuit, as well as a consolidated securities class action lawsuit, shareholder derivative litigation and other lawsuits and claims arising out of the 2017 cybersecurity incident seeking monetary damages or other relief. A number of U.S. federal, state, local and foreign governmental officials and agencies, including Congressional committees, the FTC, the CFPB, the SEC, the U.S. Department of Justice and state attorneys general offices in the U.S., the FCA in the UK and the Office of the Privacy Commissioner in Canada, continue to investigate events related to the 2017 cybersecurity incident, including how it occurred, the consequences thereof and our response thereto . . . In addition, other lawsuits, investigations and reports related to the 2017 cybersecurity incident may be filed, commenced or issued. The claims and investigations have resulted in the incurrence of significant external and internal legal costs and expenses and reputational damage to our business and are expected to continue throughout 2019 and beyond. The resolution of these matters may result in damages, costs, fines or penalties substantially in excess of our insurance coverage, which, depending on the amount, could have a material adverse effect on our liquidity or compliance with our credit agreements. If such damages, costs, fines or penalties were great enough that we could not pay them through funds generated from operating activities and/or cause a default under our revolving credit facility, we may be forced to renegotiate or obtain a waiver under our revolving credit facility and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. The outcome of such claims and investigations could also adversely affect or cause us to change how we operate our business. Various governmental agencies investigating the 2017 cybersecurity incident are seeking to impose injunctive relief, consent decrees, and civil penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs, reduce available resources to invest in technology and innovation and/or otherwise require us to alter how we operate our business, and put us at a competitive disadvantage." Equifax Inc., Form 10-K filed February 21, 2019 (SIC 7320—Services—Consumer Credit Reporting, Collection Agencies)
- "If our efforts to
protect the security of information about our guests, team members,
vendors and other third parties are unsuccessful, we may face
additional costly government enforcement actions and private
litigation, and our sales and reputation could
Prior to 2013, all data security incidents we encountered were insignificant. Our 2013 data breach was significant and went undetected for several weeks. Both we and our vendors have had data security incidents since the 2013 data breach; however, to date these other incidents have not been material to our results of operations. Based on the prominence and notoriety of the 2013 data breach, even minor additional data security incidents could draw greater scrutiny. If we, our vendors, or other third parties with whom we do business experience additional significant data security incidents or fail to detect and appropriately respond to significant incidents, we could be exposed to additional government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their information, discontinue using our REDcards or loyalty programs, or stop shopping with us altogether, which could adversely affect our sales, reputation and results of operations. The legal and regulatory environment regarding information security, cybersecurity, and privacy is increasingly demanding and has enhanced requirements for handling personal data. Complying with new data protection requirements may cause us to incur substantial costs, require changes to our business practices, limit our ability to obtain data used to provide a differentiated guest experience, and expose us to further litigation and regulatory risks, each of which could adversely affect our results of operations." Target Corp., Form 10-K filed March 13, 2019 (SIC 5331—Retail—Variety Stores)
To view the full article click here
Originally published by LexisNexis
Visit us at www.mayerbrown.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2019. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.