A Q&A with Jacob Olcott
As Jacob Olcott, principal in cybersecurity at Good Harbor Security Risk Management, LLC points out, the SEC Guidance released in 2011 brings the issue of data security out of the IT realm and into corporate governance. But these rules for publicly traded companies are still relatively new and what they mean in terms of legal exposure is still largely untested. Olcott answered a few of my questions about the guidance and how companies can minimize their risks.
Can we have a layperson explanation of the SEC Guidance as it relates to data security?
The idea here, generally speaking, is that publicly traded companies are obligated to disclose material risks to investors. The securities laws have been in place for 80 years—what’s new is that in 2011, the SEC issued guidance for companies to apply that longstanding legal requirement to the cyber security context. We know that every company in the world today has been penetrated and huge volumes of information have been exfiltrated out of corporate networks, largely the loss of intellectual property and trade secrets. But what hasn’t happened yet, necessarily, is disclosure of these incidents and that’s important from an investor’s standpoint. This guidance sits alongside all of the other legal obligations to disclose events when they happen—whether it’s laws regarding the security of health information or financial information—but it also covers information for which there had been no existing legal requirement, such as business secrets and intellectual property.
What’s the financial exposure here for a company that ignores the SEC guidance?
The failure to disclose material information can lead to shareholder lawsuits—there’s decades and decades of history behind that. It can also lead to SEC enforcement acts, which are associated with fines. However, up until now there has never been an example of the SEC bringing an enforcement action against a company for notification around data loss so it’s still unknown. Still, I think the reality is that as companies become more aware of their legal obligations to defend their networks, shareholders will be demanding greater security from the companies they’re investing in.
What concern might a board or CEO have in complying with the guidance? And how can a business mitigate this exposure?
The bottom line here is that boards and CEOs should be very worried about this because it raises a question that most if not all companies cannot answer today: If we had a material event in our system, would we know it? There’s a growing realization in the C suite that we have got to get a better understanding about what our security posture is today, whether it’s because of the SEC guidance or the growing realization that bad guys are here and they’re coming after us. The first step is to think about what would constitute a “material event” to the business and that is very business-dependent so we would tell our clients to figure out what they do and work backwards from there—basically, to figure out what the crown jewels are. If a company has a significant amount of consumer information, for instance, then that’s what they need to be focusing on. If it’s a piece of critical infrastructure like the electrical grid, then keeping lights on and the control systems working is the most sensitive thing to protect.
It’s very important for companies to have a corporate-wide cyber risk committee. If you ask the average IT security guy what “material cyber risks or events” mean they will just look at you dumbfounded—it’s not a term of art in the IT world. This is a good example of why general counsel or even more senior folks like the CEO who understand the business implications have to be more involved in managing cyber risk. It’s also very important for officers and directors to work with the security staff and do tabletop exercises in planning incident response ahead of time because the last thing you want is to be in the middle of a crisis and just thinking about it for the first time.
Can a violation of this SEC guidance lead to a possible directors and officers (D&O) lawsuit?
Yes, officers and directors have a longstanding legal responsibility to disclose material information to investors and I don’t think there’s any question that if they’re not closely examining cyber risk they could be very vulnerable in a potential suit. However, it hasn’t happened yet.
In conclusion …
This is a complex topic. In summary, it’s difficult to define “material risk.” After all, some companies face multiple malicious attacks/attempts on a daily basis that they may consider a nuisance but routine—and it would have to be an actual breach to be deemed “material.” For another company, the close calls could pose a material risk. And what if it’s only a minor breach, like a lost laptop? To report material risk publicly the clients will need to involve counsel skilled in security and privacy matters and thoughtful about balancing the needs of outside investors with the company’s interests while not releasing too much information about their own loss control measures to the outside world. To build on Mr. Olcott’s insightful comments, it will be interesting to see if the SEC follows up here with significant penalties for willful violators of the guideline’s intent AND whether plaintiff lawyers leverage the SEC noncompliance argument in their data breach class action lawsuit complaints.