The United States Supreme Court’s majority decision in an SEC disclosure case on Friday might have a direct impact on how security executives disclose cybersecurity events.
The result in the Macquarie Infrastructure against Moab Partners case provided corporations permission to not disclose non-material occurrences, which was previously implicit in current SEC standards. The court was referring to hazards that are hypothetical and speculative but have not yet occurred. This might involve, for example, a series of assaults conducted overseas that could be adjusted to harm the firm in question. It hasn’t occurred yet, but it may.
CISOs should be aware that the court issued a significant caveat. It decided that, while firms have every right not to reveal such facts, they must take those issues into great consideration when framing what they do submit to the SEC. The court reminded firms that if undisclosed information makes what they submit to the SEC inaccurate or out of context, they might face harsh repercussions.
Enterprises “may potentially reduce their litigation/regulatory risk by carefully crafting all affirmative statements about their cybersecurity program so that these affirmative statements are less likely to become misleading in light of future events — such as new incidents, vulnerabilities, regulations, etc. — that shareholders or regulators might allege are material,” according to Brian Levine, managing director of cybersecurity and data privacy, strategy and transactions at EY.
If a corporation decides not to reveal particular facts at this time, it should conduct an exercise in which it assumes that the unannounced items are announced. This exercise implies that unannounced eventualities must be considered. They must be seriously considered, even if just to enhance the phrasing of the SEC announcement.
“The question in this case is whether the failure to disclose material required by Item 303 can support a private action under Rule 10b-5(b), even if the omission does not result in any misleading statements. “The Court holds that it cannot,” the decision stated. “Today, this Court confirms that the failure to disclose information required by Item 303 can support a Rule 10b-5(b) claim only if the omission renders affirmative statements made misleading.”
The judgment proposes a new modified tabletop exercise for committees choosing what to file following a material security issue. It should begin by addressing all potential threats that the cybersecurity team predicts shortly and whiteboarding each one.
On another board, write the current recommended SEC filing language for the recent security event. Then suppose that each alternative scenario unfolds most likely. The team next reconsiders the proposed phrasing, debating whether any of it would appear deceptive if the anticipated danger materialized.
This type of evaluation can serve as “a legal safeguard against potential claims of misleading-by-omission should other statements about the company’s security posture” change how investors might view earlier statements, says Andy Lee, who heads the privacy and data security team at the Jones Walker law firm.