Cyber Breach Disclosure Trends : TheCorporateCounsel.net Blog

June 11, 2020

Cyber Breach Disclosure Trends

Last year, Liz blogged about how disclosure related to a cyber breach presents a tricky issue because disclosure requirements vary quite a bit for companies based on state-specific laws, industry rules, varying international laws and then of course, SEC requirements. Audit Analytics recently issued a report analyzing cyber breach disclosure trends from 2011 – 2019. A chart on the first page of the report shows a dramatic increase in the number of breaches since 2011, with an increase of 54% in the last two years. In terms of disclosure detail, here’s some of what the report found:

– 43% of firms that reported a cyber breach since 2011 didn’t disclose the type of attack – meaning whether it resulted from malware, phishing, unauthorized access, etc.

– For companies disclosing a data breach, since 2011, Audit Analytics found that it took an average of 108 days before companies discovered the breach – with a maximum of 1,625 days and a median of 30 days

– But, it took companies on average another 49 days before disclosing the breach – with a maximum of 456 days and a median of 30 days

– The report mentions, as most already know, that delays in discovering data breaches may raise red flags about internal controls and disclosure delays could lead to SEC action as was the case involving Yahoo! several years ago

– Shedding light on factors that may lead to delays in discovering data breaches and longer disclosure time, the report found companies in certain industries, the type of attack and type of information all impact time to discover a breach and delays in disclosure – the blog provides specifics on these findings

Cyber Breach Disclosure & Insider Trading Risk

The risk of insider trading with cyber breaches originates from several factors – one being delays in disclosure. Based on the average 7-week disclosure delay reported by Audit Analytics, it’s important to keep insider trading risk top of mind now as many have warned about growing prevalence of Covid-19-related cyberattacks –a Baker Hostetler blog discusses those warnings.

In terms of what to do about cyber breach disclosure and risk of insider trading, a recent Greenberg Traurig blog provides a refresher of the issues. Besides investing in IT and security infrastructure and employee compliance training programs, the blog also offers these suggestions about clarifying company policies:

An area where many organizations could focus attention is in clarifying certain policies, in particular, in relation to data breaches. For instance, clarification or heightened emphasis can be given to trading blackout periods. This clarification or heightened emphasis could be included within an incident response plan or other company protocols in the event of a suspected data breach. Such policies must provide specificity as to how such a blackout period will be determined and communicated. Other considerations for incident response plans include limiting who has access to information about an incident, storing incident documentation in access-controlled locations, and implementing a review and approval process for selling stock post-incident.

Also, here’s a reminder to participate in our survey about Insider Trading Policies and Covid-19 Adjustments.

More on “Change: One Asset Manager’s Call for Companies to do More”

On Tuesday, I blogged about one asset manager calling on companies to take concrete “anti-racism” steps and wondered whether other investors would start using this moment to push for change. Later that day, CII published this “call to action” – noting that many of its investor members have pushed for years for greater diversity & fair workplace treatment, and that we all must do more.

Based on a recent blog in IR Magazine, it sounds like more investors may be stepping up pressure on companies to do more too:

The Interfaith Center on Corporate Responsibility, which represents more than 300 institutional investors with more than $500 billion in assets under management, has a small group of investors working on a formal position about racial equality. ICCR said racial equality has been a prominent talking point since the start of Covid-19 when concerns were raised about the disproportionate effect Covid-19 was having on black Americans. The blog also says that Ceres, which has an investor network that includes over 175 institutional investors with more than $29 trillion in assets under management, is reviewing all policies and practices to achieve a ‘just and sustainable future for all people.’

In terms of what this might mean for shareholder proposals, the blog discusses how some proponents are watching which companies follow through on anti-racism statements. As You Sow is maintaining a database of companies that have published statements on Black Lives Matter and racial equality and it’s interested in which companies follow through on their statements. The blog quotes As You Sow’s CEO as saying ‘veracity and honesty are the most powerful commodities a person and a company can have’ and it plans to use the information gathered in its database to hold companies accountable.

As an aside, messages about hope, justice and change have sprung up around Minneapolis through street art on plywood that businesses used as they boarded up in response to unrest – here’s one photo with a message that seems on point – it’s of a local, boarded up Minneapolis movie theater…

– Lynn Jokela