Demystifying SEC

Guidance on

Cybersecurity Risk

International Association of Privacy Professionals

Global Privacy Summit

March 7, 2013

James T. Shreve

Christopher T. Pierson

Thomas A. Sporkin

2

Agenda & Disclaimer

1. What the SEC Guidance Is

2. What the Guidance Says (and Does Not Say)

3. Balancing Additional Considerations

4. Non-Compliance Risks

5. Other SEC Privacy and Data Security Issues

6. Questions

The opinions contained herein do not reflect the opinions and beliefs of the author’s employers or

associated agencies (present or former). All content contained herein is for informational purposes only

and may not reflect the most current legal developments. The content is not offered as legal or any

other advice on any particular matter

3

Part I

What the

Guidance Is

4

About the Guidance

• SEC Released the Guidance on October 13, 2011

– Drive transparency & awareness

– Provide clearer guidance on “material risks”

• Shine the light on cybersecurity risks within

companies to allow for proper evaluation

5

Who issued the Guidance?

• Issued by the

SEC’s

Division of

Corporation

Finance

• Not by full

SEC

6

What Weight of Authority Does It Have?

• “[P]rovides the Division of Corporation Finance's

views regarding disclosure obligations relating to

cybersecurity risks and cyber incidents.”

• “This guidance is not a rule, regulation, or statement

of the Securities and Exchange Commission. Further,

the Commission has neither approved nor

disapproved its content.”

7

Who is Subject to the Guidance?

• Public Companies

• Registrants

8

Part II

What the

Guidance

Does (and

Does Not) Say

Division of Corporation Finance

Securities and Exchange Commission

CF Disclosure Guidance: Topic No. 2

Cybersecurity

Date: October 13, 2011

Summary: This guidance provides the Division of Corporation Finance's

views regarding disclosure obligations relating to cybersecurity risks and

cyber incidents.

Supplementary Information: The statements in this CF Disclosure

Guidance represent the views of the Division of Corporation Finance. This

guidance is not a rule, regulation, or statement of the Securities and

Exchange Commission. Further, the Commission has neither approved

nor disapproved its content.

Introduction

For a number of years, registrants have migrated toward increasing

dependence on digital technologies to conduct their operations. As this

dependence has increased, the risks to registrants associated with

cybersecurity1 have also increased, resulting in more frequent and severe

cyber incidents. Recently, there has been increased focus by registrants

and members of the legal and accounting professions on how these risks

and their related impact on the operations of a registrant should be

described within the framework of the disclosure obligations imposed by

the federal securities laws. As a result, we determined that it would be

beneficial to provide guidance that assists registrants in assessing what, if

any, disclosures should be provided about cybersecurity matters in light of

each registrant’s specific facts and circumstances.

9

What Is Cybersecurity or a Cyber Incident?

Cybersecurity Risks and Cyber Incidents

• Deliberate attacks or unintentional events

• Gaining unauthorized access to digital systems

– Misappropriating assets or sensitive information

– Corrupting data

– Causing operational disruption

• Denial of Service attacks

• Objectives : financial, financial theft, IP theft

– Main target or business partners

10

What Should be Reported?

Cybersecurity Risks and Cyber Incidents

•Risk Factors

– Nature of Risks

– Included List of Possible Disclosures

•Management’s Discussion and Analysis of Financial

Condition and Results of Operations

– Costs and Other Consequences

•Description of Business

11

What Should be Reported?

Cybersecurity Risks and Cyber Incidents:

• Description of Business

– Effects on Products, Services or Relationships

– 3rd Party Relationships

• Legal Proceedings

• Costs associated or projected with the incident

• Costs associated with third parties/outsourced

functions

• Financial Statements

12

What Does Material Mean?

• From Case Law

• A reasonable investor would find that information

important in the decision to purchase or sale a

security or in determining how to vote

• Substantial likelihood that the disclosure of the

omitted fact would have been viewed by the

reasonable investor as having significantly altered

the ‘total mix’ of information made available

– Material Risk changes as threat matrix evolves

– Material Risk changes as perceived by others (news)

13

What is Risk?

• Most significant factors that make an investment

speculative or risky

• Factors particular to a business or the type of

business rather than risks that could apply to any

business

• Conduct Risk Analysis

– Use both quantitative and qualitative analysis

– Include in the risk analysis the adequacy and

effectiveness of mitigating controls

14

How and When Should Reporting be Done?

• Registration Statements

• Periodic Reports

• Material Event Reports

– 10-Q - company's quarterly report; less detailed.

– 10-K - annual report that is filed by a company; in-

depth.

– 8-K - a form that is filed by companies to inform

their shareholders of unscheduled material events

that are important to shareholders.

15

SEC Comments on Filings

• Differentiate risks from actual incidents

• Note risks arising from third party performance of

cybersecurity duties

• Address risks mentioned in public statements

• Requests for more information from companies the

SEC believes may have risks based on nature of

business

– So far, comments/requests involve addressing risks in

future statements

– SEC monitoring newsworthy events for handling in future

reports

16

Amazon

17

Amazon

18

The Hartford Financial Services Group

19

The Hartford Financial Services Group

20

Eastman Chemical Company

21

Eastman Chemical Company

Similar Language, Differing Placement

“Our websites and, as reported in the media, the websites of other large financial institutions, have

recently been subject to a series of distributed denial

of service cyber security incidents. These incidents

have not had a material impact upon Bank of

America, nor have they resulted in unauthorized

access to our or our customers’ confidential,

proprietary or other information.” Bank of Am. Corp.,

Quarterly Report (Form 10-Q) 144 (Nov. 2, 2012).

“Recently, there has been a well-publicized series of

apparently related denial of service attacks on large

financial services companies, including PNC.” PNC

Fin. Serv. Grp., Inc., Quarterly Report (Form 10-Q)

172 (Nov. 8, 2012).

22

Similar Language, Differing Placement

23

“Recently, Wells Fargo and reportedly other financial

institutions have [sic] been the target of various denial-of-

service or other cyber attacks as part of what appears to

be a coordinated effort to disrupt the operations of

financial institutions.” Wells Fargo & Co., Quarterly Report

(Form 10-Q) 19 (Nov. 6, 2012).

“The Firm and several other U.S. financial institutions have

recently experienced significant distributed denial-of-

service attacks from technically sophisticated and well

resourced third parties which were intended to disrupt

consumer online banking services.” JPMorgan Chase &

Co., Quarterly Report (Form 10-Q) 221(Nov. 8, 2012).

“The Firm and several other U.S. financial institutions have recently experienced significant distributed denial-of-

service attacks from technically sophisticated and well

resourced third parties which were intended to disrupt

consumer online banking services.” JPMorgan Chase &

Co., Quarterly Report (Form 10-Q) 106 (Nov. 8, 2012).

24

Caution!

• Risk By News

– Ensure you “right size” the risk to your environment

– Be careful not to overreact, but also do not boilerplate

25

Cybersecurity Legislation

• S. 3414, §415 (112th Congress)

– Would have required SEC to “evaluate existing

guidance to registrants related to disclosures by

registrants of information security risks and related

events” and consider updating the guidance or

issuing as an SEC interpretive guidance

• Prospects in 113th Congress

26

Part III

Balancing

Additional

Considerations

27

Ongoing Forensics and Legal Investigations

• Quick disclosure, such as

with 8-K, could complicate

ongoing incident

investigations

• How does this impact law

enforcement investigation?

• Unclear if disclosures could

be delayed

• Does delay request trump?

28

Security Breach Notice Requirements

• Differing requirements could lead to

inconsistencies in notices

– Litigation Risks

– Unfair/Deceptive Acts & Practices

• Will SEC disclosures have more information than

allowed under some state laws

Involvement of Other Regulators

• Will the SEC work with Other Regulators?

– Banking Agencies

– HHS (timing)

– FTC

• Will Banking Regulators work with the SEC?

• What role will state regulators play?

29

Contractual Notice Obligations

30

Detect - - Respond - - Contain

• Isn’t the impact and

analysis unfinished

until the company has had time to respond

and react to the

incident?

• Is the key the resiliency of the company itself?

31

32

Part IV

Non-

Compliance

Risks

Within Corporation Finance

• Pursuant to Sarbanes-Oxley, the Division of Corporation

Finance reviews reporting company filings at least once every

three years

• The comment letter process is the primary mechanism

• If Corporation Finance is not satisfied with comment letter

responses or the failure to disclose is sufficiently significant, the

matter may be referred for investigation

33

SEC Investigations

34

• SEC has several

escalating processes

available once a

matter is referred for

investigation

Resolving an Investigation in SEC Context

• SEC Resolutions

– Injunction

– Cease & Desist Order

– Report of Investigation / 21(a) report

– Deferred Prosecution Agreement

– Non-Prosecution Agreement

– No Action

• Additional Relief

– Monetary penalties

– Disgorgement of ill-gotten gains with interest

– Undertakings

35

36

Enforcement from Self-Regulatory Entities or

Other Regulators

• FINRA rules permit imposition of penalties for violations of

federal securities laws, rules or regulations

• FTC or banking regulators may have authority under Section 5 of the FTC Act

SEC Forensics Capabilities

• New SEC Forensics Lab

• Risks to Using the “Free” Forensics

– Subject to “Routine Uses of Information”

– Non-waivable by SEC Staff

– Loss of Control of the Devise and Information

37

38

Part V

Other SEC

Privacy and

Data Security

Issues

39

Dodd-Frank Act Effects

• Additions to SEC Authority

• Changes to the Role of Other Regulators

40

Regulation S-P

• Breach notice

requirement

• More Detailed

Safeguarding

Requirements

• Ability of Reps to

Migrate Certain Info

41

Questions

• SEC CF Disclosure Guidance No. 2:

www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

• SEC Proposed Regulation S-P:

www.sec.gov/rules/proposed/2008/34-57427fr.pdf

• S. 3414 (112th Congress):

http://www.gpo.gov/fdsys/pkg/BILLS-112s3414pcs/pdf/BILLS-

112s3414pcs.pdf

42

For More Information

43

Contact Us

James T. Shreve (CIPP/US, CIPP/IT)

BuckleySandler LLP

Attorney

202.461.2994

jshreve@buckleysandler.com

Christopher T. Pierson (CIPP/US, CIPP/G)

LSQ Holdings

EVP, Chief Security and Compliance Officer

407.515.6727

cpierson@lsq.com

Thomas A. Sporkin

BuckleySandler LLP

Partner

202.349.8009

tsporkin@buckleysandler.com