With all the emphasis on increased candor in disclosures about cybersecurity in recent years, it’s a little surprising that, according to a recent ProPublica report, there’s one type of cyber breach that companies are unwilling to call by its name – specifically, a ransomware attack. Here’s an excerpt:
Each year, millions of ransomware attacks paralyze computer systems of businesses, medical offices, government agencies and individuals. But they pose a particular dilemma for publicly traded companies, which are regulated by the SEC. Because attacks cost money, affect operations and expose cybersecurity vulnerabilities, they sometimes meet the definition used by the SEC of a “material” event — one that a “reasonable person” would consider important to an investment decision. Material events must be reported in public filings, and failure to do so could spur SEC action or a shareholder lawsuit.
Yet some companies worry that acknowledging a ransomware attack could land them on the front page, alarm investors and drive down their share price. As a result, although many companies cite ransomware in filings as a risk, they often don’t report attacks or describe them in vague terms, according to experts in securities law and cybersecurity.
The report points out that ransomware attacks are often featured in risk factor disclosure, but many companies victimized by these attacks seem to take the position that they aren’t material because customer data hasn’t been compromised.
There may be an argument for that position, but companies that consider adopting it should take a hard look at the language of their risk factor disclosure about ransomware. As Facebook found out last year, while it’s prudent to warn about risks that haven’t happened, disclosure that suggests an event is merely a risk when it has actually occurred may well be misleading.
-John Jenkins, TheCorporateCounsel.net January 7, 2020