Demystifying SEC Guidance on Cybersecurity Risk•Pursuant to Sarbanes-Oxley, the Division of...
Transcript of Demystifying SEC Guidance on Cybersecurity Risk•Pursuant to Sarbanes-Oxley, the Division of...
Demystifying SEC
Guidance on
Cybersecurity Risk
International Association of Privacy Professionals
Global Privacy Summit
March 7, 2013
James T. Shreve
Christopher T. Pierson
Thomas A. Sporkin
2
Agenda & Disclaimer
1. What the SEC Guidance Is
2. What the Guidance Says (and Does Not Say)
3. Balancing Additional Considerations
4. Non-Compliance Risks
5. Other SEC Privacy and Data Security Issues
6. Questions
The opinions contained herein do not reflect the opinions and beliefs of the author’s employers or
associated agencies (present or former). All content contained herein is for informational purposes only
and may not reflect the most current legal developments. The content is not offered as legal or any
other advice on any particular matter
4
About the Guidance
• SEC Released the Guidance on October 13, 2011
– Drive transparency & awareness
– Provide clearer guidance on “material risks”
• Shine the light on cybersecurity risks within
companies to allow for proper evaluation
6
What Weight of Authority Does It Have?
• “[P]rovides the Division of Corporation Finance's
views regarding disclosure obligations relating to
cybersecurity risks and cyber incidents.”
• “This guidance is not a rule, regulation, or statement
of the Securities and Exchange Commission. Further,
the Commission has neither approved nor
disapproved its content.”
8
Part II
What the
Guidance
Does (and
Does Not) Say
Division of Corporation Finance
Securities and Exchange Commission
CF Disclosure Guidance: Topic No. 2
Cybersecurity
Date: October 13, 2011
Summary: This guidance provides the Division of Corporation Finance's
views regarding disclosure obligations relating to cybersecurity risks and
cyber incidents.
Supplementary Information: The statements in this CF Disclosure
Guidance represent the views of the Division of Corporation Finance. This
guidance is not a rule, regulation, or statement of the Securities and
Exchange Commission. Further, the Commission has neither approved
nor disapproved its content.
Introduction
For a number of years, registrants have migrated toward increasing
dependence on digital technologies to conduct their operations. As this
dependence has increased, the risks to registrants associated with
cybersecurity1 have also increased, resulting in more frequent and severe
cyber incidents. Recently, there has been increased focus by registrants
and members of the legal and accounting professions on how these risks
and their related impact on the operations of a registrant should be
described within the framework of the disclosure obligations imposed by
the federal securities laws. As a result, we determined that it would be
beneficial to provide guidance that assists registrants in assessing what, if
any, disclosures should be provided about cybersecurity matters in light of
each registrant’s specific facts and circumstances.
9
What Is Cybersecurity or a Cyber Incident?
Cybersecurity Risks and Cyber Incidents
• Deliberate attacks or unintentional events
• Gaining unauthorized access to digital systems
– Misappropriating assets or sensitive information
– Corrupting data
– Causing operational disruption
• Denial of Service attacks
• Objectives : financial, financial theft, IP theft
– Main target or business partners
10
What Should be Reported?
Cybersecurity Risks and Cyber Incidents
•Risk Factors
– Nature of Risks
– Included List of Possible Disclosures
•Management’s Discussion and Analysis of Financial
Condition and Results of Operations
– Costs and Other Consequences
•Description of Business
11
What Should be Reported?
Cybersecurity Risks and Cyber Incidents:
• Description of Business
– Effects on Products, Services or Relationships
– 3rd Party Relationships
• Legal Proceedings
• Costs associated or projected with the incident
• Costs associated with third parties/outsourced
functions
• Financial Statements
12
What Does Material Mean?
• From Case Law
• A reasonable investor would find that information
important in the decision to purchase or sale a
security or in determining how to vote
• Substantial likelihood that the disclosure of the
omitted fact would have been viewed by the
reasonable investor as having significantly altered
the ‘total mix’ of information made available
– Material Risk changes as threat matrix evolves
– Material Risk changes as perceived by others (news)
13
What is Risk?
• Most significant factors that make an investment
speculative or risky
• Factors particular to a business or the type of
business rather than risks that could apply to any
business
• Conduct Risk Analysis
– Use both quantitative and qualitative analysis
– Include in the risk analysis the adequacy and
effectiveness of mitigating controls
14
How and When Should Reporting be Done?
• Registration Statements
• Periodic Reports
• Material Event Reports
– 10-Q - company's quarterly report; less detailed.
– 10-K - annual report that is filed by a company; in-
depth.
– 8-K - a form that is filed by companies to inform
their shareholders of unscheduled material events
that are important to shareholders.
15
SEC Comments on Filings
• Differentiate risks from actual incidents
• Note risks arising from third party performance of
cybersecurity duties
• Address risks mentioned in public statements
• Requests for more information from companies the
SEC believes may have risks based on nature of
business
– So far, comments/requests involve addressing risks in
future statements
– SEC monitoring newsworthy events for handling in future
reports
Similar Language, Differing Placement
“Our websites and, as reported in the media, the websites of other large financial institutions, have
recently been subject to a series of distributed denial
of service cyber security incidents. These incidents
have not had a material impact upon Bank of
America, nor have they resulted in unauthorized
access to our or our customers’ confidential,
proprietary or other information.” Bank of Am. Corp.,
Quarterly Report (Form 10-Q) 144 (Nov. 2, 2012).
“Recently, there has been a well-publicized series of
apparently related denial of service attacks on large
financial services companies, including PNC.” PNC
Fin. Serv. Grp., Inc., Quarterly Report (Form 10-Q)
172 (Nov. 8, 2012).
22
Similar Language, Differing Placement
23
“Recently, Wells Fargo and reportedly other financial
institutions have [sic] been the target of various denial-of-
service or other cyber attacks as part of what appears to
be a coordinated effort to disrupt the operations of
financial institutions.” Wells Fargo & Co., Quarterly Report
(Form 10-Q) 19 (Nov. 6, 2012).
“The Firm and several other U.S. financial institutions have
recently experienced significant distributed denial-of-
service attacks from technically sophisticated and well
resourced third parties which were intended to disrupt
consumer online banking services.” JPMorgan Chase &
Co., Quarterly Report (Form 10-Q) 221(Nov. 8, 2012).
“The Firm and several other U.S. financial institutions have recently experienced significant distributed denial-of-
service attacks from technically sophisticated and well
resourced third parties which were intended to disrupt
consumer online banking services.” JPMorgan Chase &
Co., Quarterly Report (Form 10-Q) 106 (Nov. 8, 2012).
24
Caution!
• Risk By News
– Ensure you “right size” the risk to your environment
– Be careful not to overreact, but also do not boilerplate
25
Cybersecurity Legislation
• S. 3414, §415 (112th Congress)
– Would have required SEC to “evaluate existing
guidance to registrants related to disclosures by
registrants of information security risks and related
events” and consider updating the guidance or
issuing as an SEC interpretive guidance
• Prospects in 113th Congress
27
Ongoing Forensics and Legal Investigations
• Quick disclosure, such as
with 8-K, could complicate
ongoing incident
investigations
• How does this impact law
enforcement investigation?
• Unclear if disclosures could
be delayed
• Does delay request trump?
28
Security Breach Notice Requirements
• Differing requirements could lead to
inconsistencies in notices
– Litigation Risks
– Unfair/Deceptive Acts & Practices
• Will SEC disclosures have more information than
allowed under some state laws
Involvement of Other Regulators
• Will the SEC work with Other Regulators?
– Banking Agencies
– HHS (timing)
– FTC
• Will Banking Regulators work with the SEC?
• What role will state regulators play?
29
Detect - - Respond - - Contain
• Isn’t the impact and
analysis unfinished
until the company has had time to respond
and react to the
incident?
• Is the key the resiliency of the company itself?
31
Within Corporation Finance
• Pursuant to Sarbanes-Oxley, the Division of Corporation
Finance reviews reporting company filings at least once every
three years
• The comment letter process is the primary mechanism
• If Corporation Finance is not satisfied with comment letter
responses or the failure to disclose is sufficiently significant, the
matter may be referred for investigation
33
SEC Investigations
34
• SEC has several
escalating processes
available once a
matter is referred for
investigation
Resolving an Investigation in SEC Context
• SEC Resolutions
– Injunction
– Cease & Desist Order
– Report of Investigation / 21(a) report
– Deferred Prosecution Agreement
– Non-Prosecution Agreement
– No Action
• Additional Relief
– Monetary penalties
– Disgorgement of ill-gotten gains with interest
– Undertakings
35
36
Enforcement from Self-Regulatory Entities or
Other Regulators
• FINRA rules permit imposition of penalties for violations of
federal securities laws, rules or regulations
• FTC or banking regulators may have authority under Section 5 of the FTC Act
SEC Forensics Capabilities
• New SEC Forensics Lab
• Risks to Using the “Free” Forensics
– Subject to “Routine Uses of Information”
– Non-waivable by SEC Staff
– Loss of Control of the Devise and Information
37
40
Regulation S-P
• Breach notice
requirement
• More Detailed
Safeguarding
Requirements
• Ability of Reps to
Migrate Certain Info
• SEC CF Disclosure Guidance No. 2:
www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
• SEC Proposed Regulation S-P:
www.sec.gov/rules/proposed/2008/34-57427fr.pdf
• S. 3414 (112th Congress):
http://www.gpo.gov/fdsys/pkg/BILLS-112s3414pcs/pdf/BILLS-
112s3414pcs.pdf
42
For More Information
43
Contact Us
James T. Shreve (CIPP/US, CIPP/IT)
BuckleySandler LLP
Attorney
202.461.2994
Christopher T. Pierson (CIPP/US, CIPP/G)
LSQ Holdings
EVP, Chief Security and Compliance Officer
407.515.6727
Thomas A. Sporkin
BuckleySandler LLP
Partner
202.349.8009