When organizations that are issuers or registered entities under the United States securities laws suffer a data breach or other cybersecurity incident, their in-house counsel will have to wrestle with what to tell the Securities and Exchange Commission (SEC), and perhaps the public, about the breach.
As we discussed in an earlier post, the SEC, through recently issued guidance and two enforcement actions against large issuers, has made it clear that the agency expects reporting companies and their in-house counsel to seriously evaluate the materiality of their companies’ breaches, and to disclose material breaches in a timely fashion.
But as an organization determines the materiality of a breach, it must also decide how it plans to communicate with the SEC about the mere fact that the breach occurred.
Doing so can help the organization build goodwill with the SEC by showing that the organization is taking seriously its disclosure responsibilities, and that it wants to keep the SEC apprised of the breach and the organization’s subsequent investigation into it.
Here are four considerations in-house counsel should keep in mind when communicating with the SEC about a data breach their organization has recently suffered.
Open a dialogue early in the post-breach investigation process.
There is a misconception that reporting companies should only notify the SEC about a data breach after they have completed their investigations into the breach.
The SEC values being notified promptly about a data breach, even when a reporting company is still sorting out what happened and whether the breach is material. Indeed, a reporting company is less likely to get credit from the SEC for working with the agency in the post-breach investigation process if the SEC first finds out from another source that the organization suffered a breach.
Opening a dialogue early can be particularly helpful when other government agencies are involved in a breach investigation—and have perhaps asked your organization to refrain from talking publicly about the breach while their investigations are continuing. Because the SEC understands there is a difference between improperly withholding information from shareholders, on the one hand, and accommodating other government agencies’ need for discretion, on the other, ensuring the SEC staff is informed about overlapping investigations and their potential impact on your decisions may influence how the SEC views your actions.
When opening an early dialogue, it is important to know with whom at the SEC your organization should be speaking. If possible, it is better to initiate communication with personnel with experience considering data breaches than with other SEC attorneys who may be unfamiliar with data breaches and the subsequent internal investigations they typically trigger.
The SEC will want to know an organization’s plan for dealing with the breach.
Immediately after a breach occurs, the SEC will want to know what information has been compromised, how valuable the information is, and how this unlawful accessing of your organization’s information could affect its business.
In this early going, the SEC wants to know that your organization understands what happened and what is at risk. But fairly soon after your organization learns of the breach, the SEC’s focus may change. The SEC will likely want to know what your organization’s plan is for responding to the breach.
Given the SEC’s mandate, they will want to explore what your organization will do to determine if a breach was material and whether, and when, it should be disclosed. That includes monitoring the fallout from the breach and understanding the potential damage it has caused inside the organization and out. Remember, the SEC’s reasons for wanting to know your organization’s response plan come back to it wanting to stop or limit injuries to your organization’s shareholders and other participants in the securities markets.
First, the SEC will want to know whether your organization is complying with its own policies and procedures for dealing with a data breach or other cybersecurity incident.
Second, it will want to know whether the market has enough information to ensure that trading in your organization’s securities is fair given what has transpired and what your organization—and possibly others—know about the breach.
Finally, the SEC will want to know that your organization is taking steps to prevent insider trading (because knowledge that a data breach occurred can be considered material, non-public information).
Companies need not have a fully articulated plan when first engaging with the SEC, particularly when such engagement is commenced early post-breach. But your organization must show through its communications with the agency that it is working toward determining what, if anything, it must disclose regarding the breach.
Do not jump the gun when discussing the materiality of the breach with the SEC.
At a certain point, your communications with the SEC will turn to an analysis of whether the breach at issue was material and must be disclosed. This is where, hopefully, your organization’s plan for responding to the breach will pay dividends.
That is because a materiality analysis is a fact-intensive one. It is also the kind your organization should not present in conversations with the SEC with certainty until the organization has enough facts with which it can evaluate the question appropriately.
Critically, your organization should be sharing what it knows and not what it hopes. Materiality determinations will often turn on how facts fit into the particular context and background about which your organization is aware at any given moment. If the facts on which a materiality decision will be based are not fully developed, that context may be inaccurate.
Furthermore, the SEC often has information about data breaches that victim organizations do not. For example, the SEC might know about similar breaches and might be sharing information with law enforcement agencies that are further along in piecing together the puzzle of a breach than the victim organization. This potential information imbalance presents another reason to maintain a dialogue with the SEC as you get your arms around the facts and circumstances of your particular breach—as the SEC may be able to take steps to protect investors that will inure to your benefit later—but also underscores the need to avoid offering conclusions based on a less‑complete understanding of relevant facts than the SEC may already have.
Experience counts when notifying the SEC about a data breach and evaluating its materiality.
To place itself in the best position possible when engaging with the SEC regarding a data breach, your organization must ensure that the people working on its behalf know what information the SEC will seek. You will need to know whom to call at the SEC to begin a dialogue, how to go about carrying out your plan for responding to the breach, and how to communicate with the SEC when it comes to determining the materiality, if any, of the breach.
An organization should not take these interactions with the SEC lightly. As the SEC has shown, it will not hesitate to bring enforcement actions against reporting companies who, in the SEC’s eyes, fail to consider the materiality of, and timely disclose, their cybersecurity risks and incidents.