In particular, businesses need cyber guidance not just on cyber security frameworks and procedures, but also on other important issues like disclosure and reporting. These will not only assist in the overall efforts against cyber threats, but will also provide shareholders and interested parties with valuable information regarding their assets and any risks involved.
The Need for Cyber Guidance
Businesses that have been affected by a cyber attack can incur substantial losses and may suffer various negative consequences. These can include:
- Remediation costs associated with stolen assets or information, as well as the costs of repairing damaged systems
- Increased cyber protection costs related to organizational adjustments, implementing new cybersecurity technology, and consulting with third-party experts
- Lost revenues due to the unauthorized use of confidential information, along with loss of business opportunities
- Costs of litigation and other legal expenses
- Reputational damage that reduces investor confidence
The motives of cyber attackers may include monetizing data, obtaining inside trading information, setting up illegal offshore accounts, leaking documents, corrupting data, evading taxes, causing operational disruption, and other goals.
Disclosure for Public Companies
The U.S. Securities and Exchange Commission (SEC) has previously issued the Cybersecurity Disclosure Guidance, which provides a number of guidelines regarding disclosure of a company’s cyber risks and cyber incidents. While the guidelines do not provide explicit requirements for disclosure, they do outline various factors and scenarios that “may impose an obligation” on public companies to report them. These include:
- Risk factors
- Management Discussion & Analysis (MD&A)
- Business descriptions
- Legal proceedings
- Financial statements
- Disclosure controls and procedures
While many feel that these guidelines may be somewhat vague, businesses should focus on two important aspects of disclosure procedures. They should:
- Provide regular reviews of existing disclosure processes to ensure that they are communicating risks that a reasonable investor would consider material.
- Disclose the material impact of a cyber attack and provide disclosures of how they will mitigate damages. Businesses would benefit from having a disclosure readiness plan in place before any incidents actually occur.
Large Law Firms May Be Especially Vulnerable to Cyber Attacks
Large law firms are particularly vulnerable to cyber attacks. A recent ABA survey has shown that 26 percent of firms with more than 500 attorneys who responded experienced some form of security breach in 2016. Large law firms may be a unique target for cyber attacks for many reasons, such as:
- Law firms can often be using outdated software
- Those managing the software may not be particularly tech-savvy
- Law firms hold sensitive, valuable information on behalf of clients; this can increase the likelihood of becoming a target
Recently, the Association of Corporate Counsel (ACC) has released cyber security guidelines for law firms. Discussions surrounding the cyber guidance focus largely on:
- Developing policies and procedures for the protection of confidential information
- Standardizing key cyber security-related terms
- Procedures for steps to take following a major cyber attack
- Disclosing security risks as well as cyber incidents
Additionally, a potentially risky scenario arises when firms or businesses merge with one another. New cybersecurity risks can develop when one firm merges with another whose systems are completely different.
Also, general counsel should be directly involved with cyber security matters from the beginning of their involvement with a company.
Cyber Guidance in the News
In related news, the House Science Committee recently advanced a bill aimed at assisting small businesses in improving their cyber security. The legislation has bipartisan backing and would require the National Institute of Standards and Technology (NIST) to make tools, guidelines, and various other resources available for smaller businesses to enhance their cyber defenses. NIST has already released a guide on cybersecurity, but members of Congress are seeking to expand the scope of its activities.
In Britain, a Cyber Security Breach Survey found that only about half of businesses have implemented the controls outlined in the government’s cyber strategy guidelines. Just over half of businesses have actively sought out advice, guidance, or information on cyber threats from any source; however, only four percent turned to the government for information.
Cyber security measures should provide increasingly specific guidelines for businesses and law firms to follow. In particular, careful attention should be placed on disclosures for cyber risks and cyber attack incidents, as these can have effects on shareholder interests and other areas. If you have any questions regarding shareholder rights, contact us today at Kessler Topaz. Our renowned shareholder litigation team has recovered billions of dollars for defrauded investors around the world.