'Groundbreaking' or broken? An analysis of SEC cybersecurity disclosure guidance, its effectiveness, and implications.

• Author: Ferraro, Matthew F.
• Position: V. The Impact of CR DG 2 through VIII. Conclusion, with footnotes, p. 323-347

5. THE IMPACT OF CF DG 2

   In her response to Senator Rockefeller's April 2013 letter asking for the SEC to "elevate" the staff cybersecurity guidance, Chairwoman White defended the efficacy of CF DG 2 by noting that the SEC "staff issued comments addressing cybersecurity matters to approximately 50 public companies of varying size and in a wide variety of industries." (175) No law review article on CF DG 2 has critically analyzed those letters or the cyber disclosures they prompted. (176) This part attempts to address that lacuna through the analysis of ten case studies of corporate disclosures on cybersecurity, the ensuing SEC comments, and the subsequent corporate disclosures. (177) In every case, the target corporation altered the subsequent disclosure in a manner the SEC (acting with direct reference to CF DG 2) requested, even if the company protested initially that the disclosure was not material or necessary. Notably, even after the SEC prompted action, most of the disclosures themselves were general and vague.

   1. Case Studies

      This article reviews each case study in turn.

      1. Amazon.com

         A leader in Internet retail, Amazon.com has a market capitalization of about $170 billion, 117,000 employees, and 2012 revenues of over $60 billion. (178) The online shoe portal Zappos.com--dubbed a "shoe utopia" by the press (179)--is a subsidiary of Amazon's. Recently, there was trouble in paradise: in January 2012, an unknown perpetrator infiltrated Zappos' internal computer network through servers housed in Shepherdsville, Kentucky and may have had "illegal and unauthorized access" to customer account information, including customers' names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of their credit card numbers, and their "cryptographically scrambled password[s]." (180) The episode garnered significant press and spurred class action suits for a litany of civil wrongs. (181)

         A few weeks later, Amazon filed its standard Annual Report (Form 10-K) with the SEC. It made only vague references to the potential of cyber intrusions that "could expose us or our customers to a risk of loss or misuse of [personal] information, adversely affect our operating results, result in litigation or potential liability for us and otherwise harm our business." (182) The report made no mention of the intrusion that had just occurred and triggered lawsuits.

         The SEC replied to Amazon's Annual Report and cited the recent news that, far from a mere hypothetical intrusion, a cyber-attack on its Zappos subsidiary had "occurred during which millions of user accounts were compromised"; accordingly, it asked the company to "please address whether disclosure" in its 10-K of such an attack was necessary to advise possible investors of all potential harm to its business, including "reputational damage affecting customer or investor confidence." (183) To support its request for greater disclosure, the SEC cited CF DG 2. (184)

         At first Amazon protested, claiming that "information on the specific incident would not provide investors with additional material information relating to the cyber-attack risks facing our business," that the attack had no material impact on Amazon, and that any impact on Zappos would be "transitory." (185) Undeterred, the SEC again pressed Amazon to "expand" its 10-K "to disclose that you have experienced cyber-attacks and breaches" in a second letter the following month. (186) This time, Amazon obliged. It wrote in its next filing that some of its subsidiaries "had past security breaches, and, although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future." (187) It is unclear what effect, if any, Amazon's subtle word change had on shareholders' investment decisions.

      2. American International Group (AIG)

         AIG was once the world's largest insurer (188) and has "customers in more than 130 countries." (189) In its 2011 Annual Report it wrote that its many data systems "could ... be subject to unauthorized access, such as physical or electronic break-ins or unauthorized tampering." It also noted that "[i]n some cases, such unauthorized access may not be immediately detected. This may impede or interrupt our business operations and could adversely affect our consolidated financial condition or results of operations." (190)

         The SEC responded several weeks later and asked directly "whether you have experienced attacks, unauthorized access, systems failures and disruptions in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosures." It directed AIG to "[p]lease refer" to CF DG 2. (191)

         AIG responded with an air of incredulity. "Like other global companies, AIG has experienced threats to its data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions. The nature of these incidents is not unique to AIG," it wrote. (192) But, "[n]one of the incidents to date, nor the costs or other consequences associated with such incidents, has materially affected AIG's business or consolidated financial position or results of operations." (193) It also had procedures in place to notify affected individuals and the government, when necessary, of the unauthorized access of personal information. "Based on these procedures and in light of its experience to date, AIG does not believe that disclosure of the specific facts and circumstances of the incidents to date would provide useful context to its risk factor disclosures." (194)

         In a second letter, the SEC seized on AIG's admission--probably taken for granted by most major firms--that it had "experienced threats to [its] data and systems, including malware and computer virus attacks" and pressed again for greater disclosure. (195) "In order to place the risks described in this risk factor in an appropriate context, please expand your risk factor to state that you have experienced [such] threats...." (196)

         AIG subsequently relented. "Pursuant to the Staffs comment, AIG will expand its risk factor on electronic data systems and the handling of confidential information in" future filings to include an expanded disclosure, it wrote. (197) The new language reads in its entirety: "Like other global companies, we have, from time to time, experienced threats to our data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions." (198) Upon review, the statement seems self-evident.

      3. Anheuser-Busch InBev

         Headquartered in Brussels, Belgium, Anheuser-Busch InBev is the world's largest brewing company. (199) As a foreign corporation, it files a Form 20-F with the SEC, which is functionally equivalent to a Form 10-K. (200) In the Form 20-F it filed in 2012, Anheuser-Busch spoke in the future subjunctive: "our information systems may be vulnerable to a variety of interruptions due to events beyond our control" which could "disrupt our business." (201) The SEC was not satisfied with such disclosures and asked that, "[i]f you have experienced any cyber-attacks, security breaches or other similar events in the past, in future filings, beginning with your next Form 20-F, please confirm that you will state that fact in order to provide the proper context for your risk factor disclosure." (202)

         Anheuser-Busch pushed back in a response letter. As far as it knew, "the Company has not experienced any material breaches of cybersecurity ... and believes its risk factors, as currently drafted, adequately describe the nature of the risks the Company faces relating to cybersecurity." (203) In reply, the SEC--not comfortable merely providing its view and letting the company determine for itself what to disclose--noted that, from the company's response, "it appears that you have experienced and expect to continue experiencing attempted breaches of your technology systems," and, if so, it asked the company to state as much in its next filing. (204) Anheuser-Busch then relented. Appended to the bottom of its next Form 20-F was a blanket statement that the company "experience [s] from time to time attempted breaches of our technology systems" and expected those to continue, although "[n]one of the attempted breaches on our systems (as a result of cyber-attacks, security breaches or similar events) had a material impact on our business...." (205)

         What is striking is that unlike AIG, which at least admitted that some cyber-attacks had been successful, Anheuser-Busch claimed that none had been and agreed to disclose--vaguely and nonspecifically--merely attempted attacks, even though the attacks themselves were purportedly not "material." In light of the depth and breadth of the global cyber-attacks discussed supra it strains one's imagination that no such attacks on Anheuser-Busch have been successful, but there is no admission in the disclaimer to the contrary.

      4. ConocoPhillips, Inc.

         ConocoPhillips is a global oil and gas company that in 2011 reported revenue of over $237 billion. (206) A company of such size and scope faces a number of exposures, and in the Annual Report it filed with the SEC in February 2012 it listed "cyber-attacks" as the last among many "hazards and risks that require significant and continuous oversight." (207) In response, the SEC wrote ConocoPhillips and asked it to "provide a separate discussion of the risks posed to your operations ... by cyber-attacks" and pointed it to CF DG 2 "for additional information." (208)

         Like AIG and Anheuser-Busch, ConocoPhillips at first resisted. "We have reviewed ... [CF DG 2] and believe the Company's current disclosures regarding the risks relating to its cybersecurity are appropriate in light of the Company's business, size and experience with cybersecurity and cyber incidents." While, it has experienced "occasional" breaches, "none of those breaches has had a material effect on...