2019 was no stranger to cybersecurity incidents, and with more of America’s workforce working remotely due to the 2019 novel coronavirus (COVID-19) pandemic, the number of incidents in 2020 is sure to increase. Almost every industry is impacted by cybersecurity incidents and it is important for companies to understand this risk and adequately disclose them in their filings with the Securities and Exchange Commission (SEC). In its 2018 guidance, the SEC advised that a company’s disclosure “should avoid generic cybersecurity related disclosures” and should appropriately educate investors on the impact a cybersecurity incident will have on a company’s business operations and its financial condition. The materiality of a cybersecurity risk is dependent on the nature of business and the potential magnitude of the compromised information.
Some aspects companies need to consider include:
- The company should consider the cybersecurity risk that is specific to its industry. For example, does the company store and transmit sensitive personal information?
- What preventative actions has the company taken with regard to the cybersecurity incident?
- Does the company rely on service providers and vendors that are vulnerable to cybersecurity incidents? For example, is the company completely reliant on cloud-based technology? Has the company recently acquired or merged with another entity?
- What are the costs associated with cybersecurity protections? Does the company maintain sufficient cybersecurity insurance?
- Are there privacy or cybersecurity regulations or laws (domestic or international) that the company would be subject to that would require a significant cost to comply?
- As it relates to COVID-19, companies should take into consideration the additional cybersecurity risks during this time. Is the company required to conduct more of its operation online instead of in person? Is more of the company’s workforce working remotely? Has the company used a videoconferencing service to conduct confidential company business? These circumstances may increase the company’s risks to a cybersecurity incident.
While companies should take into consideration the questions posed above when disclosing their cybersecurity risk factors, companies should also make sure such disclosures are factually correct. If a company’s systems are outdated and do not meet industry standards, the company should not disclose that it regularly reviews and updates its systems. Such a cybersecurity disclosure is misleading to investors and cannot be characterized as merely puffery when there is evidence that directly contradicts the statement.
The COVID-19 pandemic is likely to expose the data security vulnerabilities in many companies. Zoom Video Communications, Inc. (Zoom), a platform that has surged in popularity due to remote working, had experienced a number of security issues from “Zoombombing,” where uninvited attendees interrupt meetings.The surge in Zoombombing resulted in a class action lawsuit filed by shareholders on April 7, 2020, in the United States District Court for the Northern District of California. The lawsuit alleges that Zoom failed to disclose that it had inadequate data privacy and security measures. Further, the lawsuit claims that through the increase in Zoombombing, it became clear that “Zoom had significantly overstated the degree to which its video communication software was encrypted.”
A number of U.S. regulators have warned of the increase in cyberattacks during the COVID-19 pandemic as a result of the number of individuals working remotely. Due to the high risk of a data security incident, it is imperative for companies to ensure they are properly disclosing all cybersecurity risks. By doing so, a company may avoid shareholder litigation.