Printed from

Companies have duty to disclose cyber breaches: Experts

Posted On: Apr. 11, 2019 1:18 PM CST

cyber response

A law enforcement investigation is not an excuse for failing to disclose a material cyber breach to investors or regulators, experts say.

Companies may contact law enforcement agencies such as the FBI when they are dealing with a cyber breach, experts say.

“If you’re a public company, then you owe a duty to inform investors of material events that occur at your company,” said Serrin Turner, New York-based partner and a member of the information law, data privacy and cybersecurity practice, Latham & Watkins LLP, said at the Incident Response Forum in Washington, D.C., on Wednesday. “Regardless of whether you tell the FBI about it or not, if you experience a material event, you have to disclose it.”

In February 2018, the Securities and Exchange Commission published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents, with the guidance “putting additional pressure on companies to disclose sooner rather than later,” he said. “Once you have enough facts to know that a material event has occurred, you must disclose. The fact that you have an ongoing investigation is not sufficient reason to delay disclosure. If you need to do piecemeal disclosures, if you need to have disclosure saying ‘we’ve experienced this event, we’re working on finding out more details’ … fine. What you can’t do is wait until your investigation is all wrapped up.”

Under the guidance, companies have to disclose material cyber risks and material cyber incidents and determining materiality is a “very fact-specific inquiry – what it depends on is the nature and the extent and the potential magnitude of the incident or risk, especially in relation to the company’s operations,” said Deborah Tarasevich, Washington, D.C. -based assistant director of the market abuse unit, Securities and Exchange Commission’s division of enforcement. Some factors to be considered are the importance of the compromised information, the impact on the company’s operations, the harm to the company, including reputational or financial harm, as well as possible litigation or regulatory action, she said.

“The fact that you have an ongoing internal investigation or even an external investigation like the FBI, that’s not a reason in it of itself to not disclose a material cyber incident,” Ms. Tarasevich said.

But Elizabeth Gray, a Washington, D.C.-based partner in the litigation department and co-chair of the securities enforcement practice group for Willkie Farr & Gallagher LLP, noted that “on the SEC side, one of the arguments in favor of being very cautious before you disclose is that once you start speaking, you have an obligation to update. If you get it wrong, you could cause more harm than if you just waited a month and assessed it. If you have a good system in place, when the SEC comes knocking at your door to look at your disclosure, you can say ‘this is what we did. We didn’t know for sure. We were talking to the FBI. We were doing our internal investigation. If we spoke a month ago, we may have gotten it wrong and then we have a duty to correct and investors might have sold off because we gave the wrong information.’”

Andrew Pak, vice president and corporate counsel of cybersecurity and privacy for Prudential Financial Inc. in Newark, New Jersey, said: “if you’re a large financial institution and you have a cybersecurity program, you have incident response plans, likely there will be triggers that will give you a sense of whether you are dealing with something that might be material.”

Prudential Financial has enterprisewide incident response plans for events that “might reach a certain level of significance such that we would have broader or deeper interaction with senior management,” he said.

“If you have an incident response plan that is actually tailored to different levels of significance, that’s already a good starting point in understanding whether you now have to engage in the question of materiality because there are going to be insignificant events that come up and they won’t even trigger the enterprisewide plan,” he said.  

Under the SEC disclosure guidance, “you also have to have sufficient disclosure controls in place such that when a cyber incident occurs, it gets elevated to the appropriate personnel, up the corporate ladder, who can make these disclosure decisions,” Ms. Tarasevich said. “That’s very important. But at some level, if you are making a disclosure that is so boilerplate, so basic that it may not even help an investor or be important to an investor, you might be at some risk there.”

The SEC is not going to “second guess, good faith, reasonable decisions about disclosure,” she said.

“We’re going to look at this as ‘were you acting reasonable? What did the company know at the time and what did they disclose,’” Ms. Tarasevich said. “That being said … there are going to be some circumstances where disclosure is so lacking that we will be bringing enforcement actions. But we take, I think, a very thoughtful and judicious approach about bringing these types of cases.”

In 2016, Morgan Stanley Smith Barney LLC agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, according to the SEC, which issued an order finding that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data. From 2011 to 2014, a then-employee impermissibly accessed and transferred the data of about 730,000 accounts to his personal server, which was ultimately hacked by third parties. Morgan Stanley agreed to settle the charges without admitting or denying the SEC’s findings.

“I think it’s a really interesting case,” Mr. Turner said. “What is shows to me is that regulators apply a sliding scale based on the sophistication of the entity involved.”

For example, Morgan Stanley had a written information security policy and controls in place to ensure the data was accessible only to people with the right privileges, but the then-employee found and was able to exploit a glitch, he said. Morgan Stanley did not audit that particular system or test the relevant authorization modules or monitor or analyze employee access to and use of the portals, according to the SEC. 

The SEC “came down pretty hard on Morgan Stanley whereas they might not have for a smaller, less sophisticated company,” he said.

“Morgan Stanley is pleased to settle this matter, which results from the theft by a former employee of certain limited client data that was reported in January 2015,” the company said in a June 2016 statement. “Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients. Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data. No fraud against any client account was reported as a result of this incident.”