Corporate Cyberattacks Come Out of the Shadows
Craig A. Newman and Daniel L. Stein
Since the dawn of cybercrime in the late 1990s, public companies have largely operated under the notion that, while they have an essential responsibility to guard their data with appropriate security measures, they have little duty to report attacks to investors and regulators. That is all about to change.
A full-fledged cyber war is now completely out of the shadows and was put on center stage during the June 8-9 summit between President Barack Obama and Chinese President Xi Jinping. While little specific progress came out of the meeting, National Security Adviser Tom Donilon said afterwards that cybercrime is the “key to the future” of the U.S.-China relationship, making it ever more clear that each cyber-incident is now part of a high-level military and diplomatic dance.
This escalating, and highly publicized, battle over cybercrime is going to force U.S. businesses to be more forthcoming about attacks, exposing them to significant new legal and regulatory threats.
While it might seem obvious that companies would consider nearly any significant cyber-attack a material event to require proper disclosure, the reality is that the legal and regulatory implications of attacks are extremely murky. In fact, organizations are faced with intensely conflicting interests. A company trying to decide what and how much to disclose, and whom to disclose it to, faces a decision much like the one facing the kid who gets his lunch money stolen from the bully: Is there more risk in telling the authorities or in remaining silent?
Guidelines previously issued by the Securities and Exchange Commission are far from comprehensive and leave many details to the discretion of individual companies, which have been slow to alert investors, if at all. Why? Because saying too much is a very dangerous proposition.
Public disclosure can actually undermine a company’s cybersecurity efforts or jeopardize an ongoing law enforcement investigation. The SEC itself acknowledged that providing too much detail could provide a “roadmap” for infiltrators.
And with that, companies have often chosen non-disclosure or vague disclosure as the best options. But in the new cyber reality, those options are quickly disappearing.
With blame for many recent cyber-attacks being put squarely on the Chinese government, it is clear that the battle against international hackers is being escalated—and each attack on a public company will be intertwined with broader diplomatic efforts. Businesses that once dealt behind closed doors with cyber-breaches will now find themselves on the front lines. The exposure that will come with this changing landscape will create rich opportunities for investors, lawyers, and regulators to seize upon any organization that has not taken adequate measures to shore up—and communicate about—its digital infrastructure.
In recent months, companies such as Google, AIG, and Quest Diagnostics have all filed revised cybercrime disclosures after being called out by the SEC. But a regulatory slap on the wrist is just the start; the potential legal liability for a company, its executives, and its board is staggering. With the new, more public reality of the global cyber-battle, prosecutors and plaintiffs’ lawyers will be sharpening their knives to hold corporations responsible for the inevitable losses caused by cybercriminals.
When you break down all of the issues at play, it starts to feel like doing technological battle with Chinese hackers is merely the opening act to what is sure to be a much larger drama. Businesses have no easy answers to this complex challenge, but there are two things that should happen immediately:
- The SEC must step up with guidance that is more direct and detailed, and that takes into account the significant competing interests companies face, especially if public disclosure would jeopardize ongoing law enforcement efforts or expose critical vulnerabilities. If the federal government is going to embark on a high-profile cyber-campaign, it must give businesses clear direction and guidance.
- Regardless of regulatory guidance, corporations need to get specific with their cybersecurity preparedness—not only to protect themselves against attack, but to shield themselves from lawsuits that are in the offing.
Simply having the best technology in place isn’t enough. Companies must adopt and articulate clear policies that outline the steps being taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors, address and explain their insurance coverage, and specify the frequency with which security policies are updated.
The new cybercrime reality is likely to put businesses in the middle of a global diplomatic battle and bring an end to the days in which a hacked business can lurk just outside the spotlight. It’s a dangerous new reality, but a company that proactively adopts and publicizes sound cybersecurity policies will find it far easier to meet investor and regulatory obligations without compromising security or law enforcement efforts.
Craig A. Newman and Daniel L. Stein are litigation partners with Richards Kibbe & Orbe, a New York-based law firm. Stein is a former federal prosecutor in New York. Newman also serves as chief executive of the Freedom2Connect Foundation, a nonprofit group focused on promoting Internet freedom through the use of technology.