Cybersecurity issues continue to be a hot topic for companies. As discussed in my prior blog posts, “Get ready for increased cybersecurity disclosure requirements” and “SEC pushes for disclosure of hacking incidents”, the SEC continues to focus on cybersecurity and data breach items and has now begun to encourage public companies to disclose them, even in the absence of applicable rules or regulations. The only official guidance from the SEC on cybersecurity disclosure continues to be the disclosure guidelines provided in October, 2011 in CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “Release”).
There has been some important movement on cybersecurity issues outside of the SEC. While this does not directly pertain to disclosure of these items, public companies should pay close attention to these developments since they may provide some valuable guidance in this area. These developments also confirm the importance of cybersecurity issues and support my position that the SEC will probably soon mandate additional disclosure requirements for cybersecurity items.
On September 19, 2012 Senator John D. Rockefeller IV (D, West Va.) sent a letter to the CEOs of all Fortune 500 companies posing questions about these companies’ cybersecurity policies and related issues. His letter asked these companies to evaluate their roles and responsibilities in connection with cybersecurity legislation and reform and to work with the Federal government to successfully enact cybersecurity legislation. Responses to this letter are voluntary, but it is likely that most of these companies will respond in some fashion. The companies’ responses were requested by October 19, 2012.
Senator Rockefeller has long been a very strong proponent of cybersecurity legislation, and he is clearly frustrated with the lack of progress in this area. He was instrumental in the introduction of both the Cybersecurity Act of 2010 and the Cybersecurity Act of 2012, both of which failed to gain Senate approval. The proposed Cybersecurity Act of 2012 was defeated by a filibuster in August 2012, and in his letter Senator Rockefeller attributes this filibuster to opposition from business and trade groups, particularly the United States Chamber of Commerce. He has supported President Obama’s proposed use of an executive order to enact cybersecurity protection outside of the legislative process, and he references this in his letter. Based on the language of his letter, however, Senator Rockefeller now appears to be seeking a more cooperative arrangement with large companies to help overcome prior controversies and pass meaningful cybersecurity legislation.
The questions that Senator Rockefeller posed in his letter to the CEOs were:
- Has your company adopted a set of best practices to address its own cybersecurity needs?
- If so, how were these cybersecurity practices developed?
- Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.
- When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
- Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
- What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
- What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
- What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?
All companies should understand that these actions by Senator Rockefeller and other legislative and regulatory events show that cybersecurity legislation and regulation is probably imminent. Senator Rockefeller is on the front lines of this effort, but many influential business and government leaders are concerned about the potential negative effects and the economic and privacy risks associated with cybersecurity and cyber intrusions. There is also considerable concern among government and military leaders regarding the potential negative effects of cyberterrorism. All of the factors read together demonstrate that cybersecurity legislation and regulation is probably coming. Resistance to mandated cybersecurity requirements remains strong among certain areas of the business community, however, and it is difficult to predict the full effect or timing of such legislation if it is implemented.
Public companies should take this coming legislation and regulation to heart, as I believe that the SEC will mandate cybersecurity disclosure in some form soon in conjunction with the movement in the legislative and regulatory areas. At least one commentator has expressed the view that certain mandated disclosure of the status of each public company’s cybersecurity programs and measures (rather than mandating the nature of the programs and measures themselves) is a more effective way to cause public companies to enact effective cybersecurity protection. In any case, it appears that the confluence of all of these items will mean some form of mandated public company disclosure of cybersecurity items soon.
For now, public companies should carefully review the Release and the SEC’s recent actions in the area of the disclosure of cybersecurity measures and cyber incidents to obtain guidance on what these new disclosure obligations may require when they arise. My prior blogs (referenced above) provide information on these items. Other materials such as Senator Rockefeller’s letter will also be helpful in defining the relevant areas of concern. This should help public companies to identify and fix potential problem areas and to comply with disclosure obligations in the cybersecurity area as they develop. Companies should ensure that their advisors in this area have both securities law and technology law expertise.