The need for counsel – particularly securities counsel – to understand the structure and security of her/his publicly-traded client’s IT systems just became even more important as a result of guidance just issued by the SEC.
On October 13, 2011, the Securities and Exchange Commission issued guidance discussing when public companies may need to disclose cybersecurity risks and incidents. In so doing, the SEC placed cybersecurity at the same level of importance as other operational and financial risks, even though (as the SEC acknowledges) there are no existing disclosure requirements that “explicitly refer to cybersecurity risks and cybersecurity incidents.”
In determining whether a cybersecurity risk is material, a company must evaluate “all relevant information” about its cybersecurity risks. This includes a consideration of “the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
As with other risk factors, if a company determines that it must disclose cybersecurity attacks as a potential risk, it cannot use “boilerplate” language to describe the risk. This presents a tricky drafting question, because a company need not disclose information that would expose it to further cybersecurity risks.
In advising clients as to whether cybersecurity information should be disclosed and how, counsel must take the time to understand (1) what critical electronically stored information (ESI) is being created, (2) where it is kept, (3) how it is secured (working closely with any IT security personnel), and (4) what would happen if it was stolen or accidentally disclosed. Counsel cannot presume that IT knows the answers to questions 1, 2, or 4. IT builds bookshelves – it does not necessarily know what books users are putting on the shelves, or the importance of such books.
Securities counsel should consider working with inside or outside counsel knowledgeable about IT systems and security risks to determine how to best assess these risks and, if they exist, how to disclose them. Don’t treat it this IT assessment as an afterthought – the SEC is thinking about it, and so should you.