Public Reporting Requirements and Cybersecurity Whistleblowers

In recent years, publicly-traded companies have become more sensitive to cybersecurity as a significant business risk. Like other risks, publicly-traded companies have an obligation to their investors and the public at large to report their cybersecurity risks with enough specificity to enable investors to make prudent investment decisions. Indeed, SEC enforcement actions based on inadequate reporting will become more common as publicly-traded companies across all sectors become more reliant on technology to conduct their core business operations.

SEC ALREADY SCRUTINIZING SOME COMPANIES

Already, publicly-traded companies that fail to protect customers’ data face SEC scrutiny. In June 2016, Morgan Stanley agreed to pay a $1 million penalty to settle charges related to its failure to protect customer information. Andrew Ceresney, Director of the SEC Enforcement Division, said at the time “Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”

Publicly-traded companies have been warned to take their cybersecurity-related reporting obligations seriously. The Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2, “Cybersecurity” on October 13, 2011, to address how the Division of Corporation Finance views disclosure obligations relating to cybersecurity risks and cyber incidents. The guidance stated, among other things, “The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision . . . [M]aterial information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”

Material Risk Should Always Be Explicit

Like any other material risk, a publicly-traded company should not use general or vague descriptions of cybersecurity risk when doing so would be misleading or inaccurate. The CF Disclosure Guidance explained, “A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”

CYBERSECURITY IS A VITAL COMPONENT OF RISK MANAGEMENT

According to Vernon Litigation Group attorney Jeffrey Haut, “Data breaches, business compromise schemes, advanced persistent threats, and other cybersecurity risks should be discussed in boardrooms across the country because they are vital components of publicly-traded companies’ enterprise risk management programs.” The SEC will likely broaden its regulatory oversight of publicly-traded companies’ cybersecurity practices when they are made aware of violations through whistleblowers. “Frequently, employees are in a unique position to spot poor cybersecurity practices and unreported cyber incidents. The SEC’s Whistleblower Program allows members of the public, including eligible employees, to report securities laws violations anonymously through the assistance of an attorney.” Many publicly-traded companies are already aware of cybersecurity risks and adjusting their enterprise risk management programs accordingly. “As cyberthreats become more sophisticated and damaging to our economy, we expect the SEC to pursue publicly-traded companies’ inadequate reporting with increased intensity,” Haut concluded.

ABOUT VERNON LITIGATION GROUP

Vernon Litigation Group is based in Naples, Florida, with additional offices in Orlando, Florida, and Atlanta, Georgia. One of Vernon Litigation Group’s missions is to assist in the recovery of client losses relating to cybersecurity and data privacy. Vernon Litigation Group handles financial litigation cases, including SEC Whistleblower complaints, involving cybersecurity, identity theft, negligence, financial fraud, misappropriation of identity, unauthorized transactions by employees, and civil penalties involving violations of state and federal law.
For more information, contact:
Vernon Litigation Group
Phone: (239) 319-4434
E-mail: info@vernonlitigation.com

Categories