Contemplating corporate disclosure obligations arising from cybersecurity breaches.

• Author: Young, Sam

1. INTRODUCTION II. BACKGROUND A. EMC Corporation and the RSA SecurID Token Hack B. Magnitude of the Threat to Corporations and Their Investors C. SEC Disclosure Requirements D. Senator Rockefeller's Letter E. SEC's October 2011 Disclosure Guidelines III. ANALYSIS A. Disclosure Obligations Under the Guidelines 1. Risk Factors 2. Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 3. Description of Business 4. Legal Proceedings 5. Financial Statement Disclosures 6. Disclosure Controls and Procedures B. Reaction to the Guidelines IV. RECOMMENDATION A. The SEC Should Adopt the Guidelines as Formal Rules B. The SEC Should Institute Dollar and Percentage of Assets Thresholds for Determining Materiality C. The SEC Should Develop an Optional Reporting System for Cyberattacked Public Companies V. CONCLUSION I. INTRODUCTION

   In an age where business entities store and communicate valuable information pertaining to sales, planning, research and development, company finances, and intellectual property on their Internet-connected computer networks, it is not surprising that these computer networks have become the target of cyberattacks. (1) These cyberattacks range in complexity from simple denial-of-service attacks, which cause disruption to company websites but do not extract information, (2) to sophisticated attacks that can destroy--or appropriate--multimillion dollar investments. (3) Despite the negative impact that a major cybersecurity breach might have on a public company's investors, the Securities and Exchange Commission (SEC) does not currently have a formal rule or regulation explicitly requiring a public company to disclose a damaging cyberbreach to its investors. (4) However, in the wake of numerous high profile cyberattacks on corporations, the SEC recently issued guidelines advising companies that cyberattacks may require public disclosure in certain circumstances. (5)

   Part II of this Note provides background information on pertinent cybersecurity and SEC disclosure issues, including those issues that most directly led to the SEC's issuance of its advisory disclosure guidelines. Next, Part III analyzes these guidelines in detail and presents potential areas of concern posed by their implementation. Part IV advises that the SEC should adopt these guidelines as formal rules. It also urges the SEC to supplement the guidelines with specific dollar and percentage of assets thresholds to assist a company in determining the materiality of a given cyberevent. It then proposes a new, optional reporting system to provide a recently attacked company with the ability to document its real-time responses to a cyberattack, including its decision making regarding its disclosure obligations. Finally, Part V summarizes this Author's recommendations, placing them in the modern cybersecurity and disclosure contexts.

2. BACKGROUND

   According to a widely cited study, during the 12 months preceding June 2011, 90% of companies were the target of at least one cyberattack. (6) In 2010, "malicious" cyberattacks constituted 31% of all U.S. data breaches, with each breach costing the affected company an average of $7.2 million. (7) While some breaches may prove relatively harmless, others may damage a corporation's infrastructure, assets, and competitive advantage to a significant degree. (8) Many cyberattack victims are companies that take security very seriously; in fact, for some, "security" is their business. (9) Others, though not in the security business, are considered leaders in the information technology, computer networking, and Internet business fields. (10)

   The resulting harms of a successful attack against such firms are not limited to information losses and mitigation expenses; the attacks may undermine the very reputations of the firms. (11) The cumulative harm of a cyberattack on a public company's investors is significant. In a report to Congress, researchers determined that the average cyberattack against a New York Stock Exchange listed company results in shareholder losses of $50-200 million (one to five percent of capitalization). (12) Despite this real harm, the SEC does not maintain any rule or regulation explicitly requiring firms to disclose cyberattacks. (13) To better illustrate the issues surrounding cyberattacks on corporations, and the possible ramifications for investors, consider the following recent example.

   1. EMC Corporation and the RSA SecurID Token Hack

      EMC Corporation is a publicly traded information technology products and services company. (14) Its clients include banks, telecommunications companies, healthcare entities, and the federal government. (15) EMC ranks number 152 among Fortune 500 companies, and saw $20 billion in total revenue for 2011. (16)

      In 2006, EMC purchased RSA, an information security firm, for approximately $2 billion. (17) RSA produces a security device called a "SecurID token" that enables RSA clients to remotely and securely log into their corporate computer networks. 18 The SecurID token displays a screen with a constantly changing digital password key: to log into a corporate network, a SecurID user must type in the current digital password in combination with other security credentials. (19) RSA clients include many large defense contractors, including Lockheed Martin, Raytheon, and Northrop Grumman, as well as large financial and banking institutions, such as Wells Fargo and Northwest Bancshares. (20) As of June 2011, an estimated 40 million SecurID tokens were in use by RSA clients. (21)

      In early 2011, select users of RSA SecurID tokens, including Lockheed Martin employees, received an email with the subject line reading "2011 Recruitment Plan." (22) Attached to this email was an innocuous looking spreadsheet. (23) However, once a user opened the document, malware (24) embedded in the spreadsheet enabled hackers to breach the security structure of the user's computer network. (25) The computer systems of RSA clients, including Lockheed Martin, were soon thereafter compromised, with hackers extracting data and information of untold value. (26)

      This attack proved extremely costly to RSA. (27) Between the months of April and June alone, RSA (EMC) spent over $66 million addressing the security breach, (28) and by June EMC's shares had fallen five percent. (29) RSA clients fared even worse--estimates hold that the breach will cost RSA clients in the banking industry alone upwards of $100 million. (30) Its reputation also took a hit, with headlines such as "Crisis Costs EMC Reputation in Security," (31) "RSA: Cyberattack Could Put Customers at Risk," (32) and "RSA Faces Angry Users After Breach" (33) appearing in respected media outlets. News media also reported that large clients in the defense industry publicly contemplated dropping RSA SecurID tokens in favor of competing technological alternatives. (34)

      Adding to the anger of compromised RSA clients was RSA's response to the crisis. In the immediate aftermath of the attack, RSA downplayed the scope of the attack and the dangers it posed to RSA clients. (35) For up to seven weeks, it did not even advise companies to replace the compromised SecurID tokens. (36) As one expert summarized, RSA's message was essentially: "everything is fine--pay no attention to the explosion in the corner." (37) When RSA finally did admit the seriousness of the attack and the dangers it posed to its clients, a common reaction, according to one industry expert, was "too little, too late." (38)

      RSA competitors actively sought to capitalize on RSA's troubles. (39) Some began offering rebates to RSA clients if they agreed to switch from RSA SecurID tokens to the competitors' products. (40) Indeed, when news of the breach reached the market, the share values of RSA's largest competitors increased noticeably. (41)

      RSA is by no means the only high tech firm to experience a malicious security breach. In fact, the exact cyberattack methodology that breached RSA's system is thought to have affected a staggering 760 companies, including 20% of Fortune 100 companies. (42) However, that RSA is an industry leader in providing security against cyberattacks makes the successful cyberattack against it especially noteworthy, as evidenced by the proliferation of media reporting the story. (43) The attack on EMC's RSA division also highlights the impact an attack might have on investors or potential investors in a public company. (44) Given that RSA's success depends in large part on its cybersecurity offerings, an attack of the magnitude discussed above would likely be of great interest to investors and potential investors in EMC.

   2. Magnitude of the Threat to Corporations and Their Investors

      Before moving on, it is important to note the magnitude of the cyberattack threat to all modern corporations. (45) Referring more broadly to recent cyberattacks, a recent McAfee report summarizes the effects of these attacks as follows:

      What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth--closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, ... and much more has "fallen off the truck" of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries. ... [I]f even a fraction of [stolen information] is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape.... (46) Despite the serious threat that cyberattacks pose to publicly...