Editor’s Note: The article below discusses one of the leading edges of federal regulation of private sector cybersecurity.
From: The Deal Magazine
by Stewart Baker, Steptoe & Johnson
Be honest. When you heard the Securities and Exchange Commission had issued guidance about corporate disclosure obligations concerning “cybersecurity risks and cyber incidents,” did you sigh and say to yourself, “Just what I need, another SEC release about Washington’s latest obsession?”
This time, though, that’s the wrong reaction. This time, I predict a significant impact on both corporate disclosures and deal practice. For two reasons, one grounded in the nature of network intrusions and the other grounded in SEC practice.
First, the cyberthreat has changed, and in a bad way. Today, most companies learn that they’ve suffered a cyberattack long after the attack has succeeded. In many cases, the Federal Bureau of Investigation or Secret Service or Defense Department investigators show up on their doorstep to say that their systems have been bleeding terabytes of information into foreign servers, sometimes for months, without their knowledge. In other cases, a small anomaly leads to a bigger investigation, and the news just gets worse as forensics teams find evidence of long-standing compromises that are still active. As one investigator told me, “In certain industries, there are only two kinds of companies. The ones who know they’ve been compromised and the ones who don’t.”
That’s important, and not just for what it says about corporate strategies based on intellectual property and trade secrets. It’s already affecting the SEC’s guidance and soon will affect its approach to enforcement. Because when you know how bad cybersecurity is among U.S. companies, it’s not possible to read the new guidance without realizing that the SEC knows it too. Over and over again, the new guidance stresses that companies fighting regular intrusions cannot simply issue a “global warming” risk statement along the lines of “cyberthreats are really important and we’re at risk, which could be material.”
No, if you’ve had a serious intrusion, the SEC expects you to report that fact in some detail: “[I]f a registrant experienced a material cyber attack … it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion … the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.” And if you still haven’t figured out the extent of the damage, the SEC expects that you provide your best estimate: “Registrants may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications.”
And it won’t end there. Sooner or later, any sophisticated intrusion is likely to end in a breach of personal or defense data that requires notification under state law or DOD contract law, or it may cause an outage that is embarrassingly public. At that point, SEC enforcers will ask two uncomfortable questions: “When did you learn of the breach, and why did it take you so long to disclose?” With those two questions, the enforcement cases will practically fall into their laps.
With enforcement so easy, and the harm from breaches so tangible, so serious and so likely to bring headlines, no one should expect the enforcers to go easy on companies that have been slow to disclose. Instead, I expect a growing wave of cases based on companies’ failure to make timely disclosure of ongoing breaches.
What does that mean for deals? Simple. It means that any company fighting a serious ongoing intrusion — or ignoring one — is carrying a potential SEC enforcement risk. Buyers who don’t want an ugly surprise after closing will need to put cybersecurity at the top of their due diligence to-do lists. And on the sellers’ side, the dilemma created by discovery of a breach is simply heightened. Where past breaches are known but unreported, sellers will have an unpleasant choice to make. They can make a disclosure to the SEC with incomplete information. Or they can try to tell the buyer why disclosure isn’t necessary and why the loss of intellectual property and the risk of an enforcement action should not affect the transaction price.
That conversation is going to be every bit as awkward as the SEC intended it to be.
Stewart Baker practices law at Steptoe & Johnson LLP. In past government service, he has been general counsel of the National Security Agency as well as assistant secretary for policy at the Department of Homeland Security.