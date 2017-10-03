Do U.S. companies face SEC securities liabilities and disclosure requirements if their own accounts or their customers’ accounts are hacked?

It’s a question addressed by securities and investment attorney Laura Anthony, founding partner of Legal and Compliance, LLC, in West Palm Beach, in a blog post about a late September 2014 cybersecurity attack that targeted at least 500 million Yahoo users’ accounts – information that was not disclosed by the web services provider until nearly two years later, before its acquisition by Verizon Communications.

The disclosure issue was raised September 26, 2016, in a letter by U.S. Senator Mark Warner (D-VA), member of the Senate Intelligence and Banking Committee and co-founder of the bipartisan Senate Cybersecurity Caucus. Warner asked the U.S. Securities and Exchange Commission (SEC) to investigate Yahoo and to re-examine its policies about cybersecurity disclosure in general.

Ms. Anthony points out that under current rules, “there is no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidences.” Both S-K and S-X filings govern company disclosures and reporting requirements.

But she also highlights key categories and issues that companies must consider when deciding whether to disclose a cybersecurity incident to the SEC.

Current SEC disclosure requirements are based on the premise that “timely, comprehensive and accurate information about risks and events” should be reported if a reasonable investor would consider it important to an investment decision.”

According to Ms. Anthony, cyberattacks or hacking incidents can put companies, investments and investors at risk on several fronts, including unauthorized access to company or customers’ information, data corruption, misappropriated assets, access to sensitive information, operational disruption, or theft of financial assets or intellectual property. Hacks can create negative financial impacts for targeted companies, including remediation costs, expert or consulting fees, litigation costs, reputational damage, liability for stolen assets, higher cybersecurity costs and more.

Based on the small number of company-filed disclosure reports, especially when contrasted with the number of documented cybersecurity attacks, Ms. Anthony says that most companies typically do not file reports with the SEC after a determination that the attacks were not material to investment decisions.

She urges companies to consider their “obligation to disclose cybersecurity risks, attacks or other incidents,” especially if they fall into key categories, including:

· Risk factors, based the qualitative and quantitative magnitude of the attack or incident on business operations, outsourcing, insurance coverage, costs of past incidents or costs related to incidents that go unreported for long periods

· Management discussion and analysis, with a special focus on a cybersecurity attack’s impact on company operations, liquidity or financial condition

· Business descriptions, especially if an incident impacts a company’s products, services, relationships with customers or supplier, or competitive status

· Legal proceedings, especially if cyberattacks results in litigation

· Financial statements that are filed prior to, during or after an incident to address associate preventive costs, direct losses, incentives paid to affected customers or vendors, and costs related to warranties, breach of contract, product recalls/replacements, trademarks, patents, capitalized software, inventory and the like