The U.S. Securities and Exchange Commission recently toughened cybersecurity reporting guidelines for public companies, and days later Yahoo agreed to pay $80 million to settle a milestone class-action lawsuit brought by investors who claimed the company misled them about their cybersecurity practices.
This will set public companies into scramble mode as general counsels try to discern risk in an area where they lack expertise. The knowledge gap when it comes to cybersecurity is real, and details are going to matter as directors and officers alike increasingly become stakeholders in an area where no one wanted to take ownership previously.
Here are six intertwined takeaways:
Materiality of Cyber Risks
The SEC voted unanimously on Feb. 18 to issue what it calls “interpretive guidance” to be applied to disclosures of cybersecurity risks and incidents. This advice addresses the importance of cybersecurity policies and procedures and stresses that companies have an obligation to consider the “materiality of cybersecurity risks and incidents” when preparing public reports.
To put a finer point on it, the commission is asking public companies to inform investors about material cybersecurity risks and incidents in a timely fashion, says Willy Leichter, marketing vice president at Virsec Systems, a supplier of application security systems. “This includes those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” Leichter says.
Directors and Officers Liability Insurance
Meanwhile, the Yahoo settlement, which still must be approved by the court, quantifies in dollars and cents precisely what’s at stake for the directors and officers themselves, in terms of so-called D&O liability, should they be perceived to mishandle a massive data breach that unfolds during their watch. In addition to the $80 million class-action settlement, the plaintiffs’ attorneys have asked the court to order Yahoo to pay $20 million in legal fees, and up to $750,000 as reimbursement for other work expenses.
Devil in the Details
The SEC’s fresh advice expands on staff guidance initially issued in 2011. The devil is in the details, of course, and there are a couple of notable new nuggets, according to N. Peter Rasmussen, senior legal editor at Bloomberg Law. The commission is emphasizing the importance of maintaining comprehensive cybersecurity policies and procedures and integrating them throughout the disclosure process. In determining their disclosure obligations, companies should generally weigh “the potential materiality of any identified risk, the importance of any compromised information, and the impact of the incident on the company’s operations.”
Yahoo had to screw up on a Herculean scale to find itself in this position. In September 2016, the company announced that the personal data of 500 million users was exposed, and then in December 2016, it reported that the data of 1 billion users–wait for it–had been exposed in a separate breach! Oh, and by the way, the smaller breach occurred in 2014–a year after the larger one. Shortly thereafter it was revealed that the number was actually easier to express in a phrase: Pretty much everything (3 billion users).
Following the company’s September 2016 mea culpa, Yahoo’s share price declined 3.06%. And following its billion-user breach disclosure, its share price dove 6.11% percent. But the real kicker was the discount Verizon Communications got as part of its 2017 acquisition of Yahoo. Verizon sought and obtained a price cut of $350 million, according to the plaintiffs’ law firm, Pomerantz LLP.
Not Far Enough
One SEC member, Kara Stein, expressed disappointment because she wanted the commission to go much further than rehashing staff suggestions that have been laying around for seven years. Stein, who was appointed by President Barack Obama in 2013, said she would have liked to have seen the commission push for risk management framework improvements, minimum standards to protect the personally identifiable information of investors, and timely notice to investors. She’d like to require companies to file a Form 8-K following a cyberattack, providing disclosure that informs the public without unduly harming the company.
Plaintiffs’ Big Payday
The lawsuit laid bare multiple poor choices by Yahoo: failing to encrypt and sufficiently protect data; failing to detect and disclose the breach in a timely manner; plowing ahead with the sale to Verizon. As a result, Yahoo is now on the hook to pay four times as much as Target, which paid an $18.5 million settlement to Attorneys Generals in 47 states for losing records for 41 million customers.
What’s more, Yahoo is the payee of the first data breach-related lawsuit in which plaintiffs’ lawyers have scored a big payday, says Kevin M. LaCroix an attorney at ProExec, a management liability consultancy. “It is hard to know for sure, but this milestone settlement, together with the SEC’s new disclosure guidelines, could mean that data breach-related shareholder litigation could be an area of increased focus for the plaintiffs’ lawyers,” LaCroix writes in his blog.
If LaCroix is right, board room meetings will never be the same, and when it comes to cyber that’s a move in the right direction. But what does this mean for small businesses? Many assume that they don’t have the budget to afford the sort of cyber solutions required to stay safe–and they are wrong. The fact is, you can’t afford not to have a solution in place, at the very least a cyber insurance policy. But always remember that this offers no protection the persistent dangers that are out there. It may make sense to add a cyber consult, outsourcing the CISO role, and still other outsourced roles, but first you need to admit that if Yahoo has a problem with this, so could you.