After a cyber-security event companies typically make their initial public announcement via press coverage rather than in current Form 8-K filings, a recent study has found. And when companies report the incident on the record in a regulatory filing, it is usually in quarterly 10-Qs and annual 10-Ks. From a treasury perspective, delaying the regulatory reporting could result in litigious financial-transaction counterparties later on, but reporting too soon also presents potential legal perils.
Law firm Debevoise & Plimpton recently analyzed how Fortune 100 companies responded to cyber events. It found that between January 2013 through third quarter 2015 they reported 20 incidents of major data breaches or cyber-security events, likely a small fraction of all cyber events at those and similar companies.
In most cases, companies initially reported incidents via press coverage, which under Regulation Fair Disclosure (FD), requiring material disclosures to any one market participant be made public simultaneously, carry the same weight as 8-K filings. Instead, companies tended to make regulatory disclosures in their 10-Qs and 10-Ks. However, 8-K filings become a part of the record sooner at the Securities and Exchange Commission (SEC), potentially reducing the risk of future litigation that could stem from less timely quarterly filings, particularly in the realm of treasury activities.
“I would have expected more initial exposure in 8-Ks, especially considering the role of the treasurer and the various activities around share repurchases, securities offerings, and financing transactions, where you’re making representations and disclosures to third parties,” said Paul Rodel, a partner at Debevoise & Plimpton and a member of its capital markets, banking, private equity and Latin American groups.
Mr. Rodel said the reporting delay most likely stemmed from uncertainty around the cyber event. “You don’t want to rush out with something, especially an 8-K that’s filed and incorporated into your liability documentation, and then find out you got it wrong,” he said.
Ideally companies can keep news about the cyber event mum until their cyber response teams have thoroughly investigated the nature and extent of the attacks. The study found that early disclosures were typically major breaches that resulted in the theft of customers’ personally identifiable information, especially financial information. There’s often less urgency to disclose business email compromise (BEC) and malware attacks the seek to pilfer funds, Mr. Rodel said, and if the amount stolen isn’t material, it might simply be described as an operating loss in the 10-Q or 10-k.
However, relying on a press release or waiting to make regulatory disclosures in 10-Qs or 10-Ks, so the cyber response team can dot all the i’s and cross all the t’s, carries risks as well. In part that’s because a press release is not automatically deemed to be a part of the disclosures the company is making to counterparties in a financial transaction.
“If treasury executes a transaction when there’s still some uncertainty around a recent cyber event, and the company discloses that event at a later date but the facts predate the execution, then a disgruntled counterparty can come back and say there was a material omission and the transaction documentation was incomplete,” Mr. Rodel said. “That’s the risk a company takes by waiting. If it can instead get to a level of confidence to say something in an 8-K, to put counterparties on notice, then it reduces the risk of being accused of omitting a material fact.”
Mr. Rodel said treasury executives should also consider whether there are ongoing activities at the company that could trigger disclosure complications following a cyber event, such as share repurchase programs, securities transactions in the works, or other financing transactions that require making representations and disclosures.
“The treasury team may have to shut down the share repurchase program or hold off on the securities offering if it believes there’s a risk that the cyber event might be material,” Mr. Rodel said.