SEC Cybersecurity Guidelines: Insights Into The Utility Of Risk Factor Disclosures For Investors
Edward A. Morse
Creighton University – School of Law
Creighton University College of Business
John R. Wingender
December 29, 2015
In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This paper examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of new disclosures. Rather than viewing disclosure a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.
SEC Cybersecurity Guidelines: Insights Into The Utility Of Risk Factor Disclosures For Investors – Introduction
information (including customer data, proprietary information, or other sensitive financial information) is an attractive target for malefactors seeking to exploit its value or inflict economic harm through inappropriate access, use or disclosure. Corporate managers are expected to consider cybersecurity risks as part of their duty to secure business assets.1 Previous research has demonstrated that ex post disclosures of data security breaches correlate strongly to negative stock price movements and that these effects can linger over reasonably long-term time horizons.2 A breach disclosure likely represents new information entering the marketplace that could cast a shadow on the firm’s economic prospects. Factors such as erosion of customer goodwill, reduced investor confidence in management’s ability to secure the firm’s assets, and exposure to transaction costs associated with resolving claims may explain negative effects on stock prices.
This article considers a distinct but related issue: whether ex ante disclosures of cybersecurity risks can also impact stock prices. On October 13, 2011, the Division of Corporation Finance of the U.S. Securities and Exchange Commission issued guidance expressing the Division’s views on “disclosure obligations relating to cybersecurity risks and cyber incidents”. 4 That guidance, which is neither a rule, regulation or statement of the SEC,5 was intended to “assist registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.”
Although other rules may obligate firms to disclose material cybersecurity risks in particular contexts, some publicly traded companies added new disclosures following the issuance of this new guidance.8 This change in reporting practices provides an opportunity to assess the impact of new voluntary disclosures on the disclosing firms.
We examined Form 10-K, Form 10-Q, and Form 8-K disclosures of publicly traded companies from the year preceding and following October 13, 2011, in order to identify companies that issued new cybersecurity risk disclosures following the SEC guidance. We catalogued the language used to make this disclosure, along with the date that it was first published, in order to perform an event study to investigate whether any market price effects could be discerned on account of this new disclosure. As discussed below, we found a significant negative impact on market price associated with the disclosing event.
We also examined SEC comment letters related to its October 13, 2011 guidance, which were issued to registrants or prospective registrants between February 2012 and August 2014. We reviewed 68 letters from firms that responded to SEC questions concerning their compliance with the guidance. Most of these letters (54 or about 79.4%) addressed either Form 10-K disclosures or Form 20-F disclosures, which are required annually. Other responses (13 or about 19%) addressed forms for registering new securities, including Form DRS and Forms S-1 or S-1A; one response involved Form DEF 14A, which is connected to proxy solicitation.
These exchanges between the SEC and registered firms provide additional insights into the kind of information that the SEC is seeking from registered firms. While most firms have chosen to remain silent because of the absence of any perceived material impact from cybersecurity problems, other firms appear to be moving toward including bland, boilerplate discussion of such risks as a means to avoid controversy with the SEC. If this path is followed, it does not bode well for the utility of the current disclosure framework. Bland disclosures could also enhance risks for firms, to the extent that such disclosures may arguably provide fuel for investor claims of material misrepresentation based on changing conditions within the firm.
This discussion is organized as follows. Part II provides an overview of the role of disclosure in federal securities law and the parameters for disclosure in the October 13, 2011 guidance. Part III looks at the legal consequences for errors and omissions in disclosure and their effects upon disclosure behavior, including the potential for over-disclosure in a manner that, ultimately, may provide limited or no utility for the investing community. Part IV provides a more detailed look at empirical results from our examination of company disclosures and the associated effects on stock price. Finally, part V provides concluding comments about disclosures in this context.
Cybersecurity Disclosure Requirements
Federal securities laws are rooted in the efficacy of disclosure. Requiring the timely disclosure of relevant information presumably allows investors to make informed decisions about their investments and induces confidence in the investment community.9 However, an effective disclosure regime requires a winnowing process, so that investors can sort out relevant information from the trivial and insignificant. A materiality screen is thus designed to “filter out essentially useless information that a reasonable investor would not consider significant, even as part of a larger ‘mix’ of factors to consider in making his investment decision.”
As a leading treatise has observed, “Materiality is highly factual and thus defies a bright line definition.”11 Further, “[m]ateriality depends not upon the literal truth of statements, but upon the ability of reasonable investors to become accurately informed.”12 This amorphous character of the materiality standard has often generated controversy as registrants, regulators, and rule makers all seek to provide and/or insure that compliant content is accessible to investors. Part A provides background discussion of disclosure requirements generally, while Part B examines requirements of the 2011 Cybersecurity guidance.
See full PDF below.