Following the previous quarter’s SEC guidance on cyber risk disclosure, companies are beginning to inform investors about material events that could impact the bottom line.
Evolver Vice President Chip Block provides an update on cyber risk scenarios, following a possible breach of sensitive medical information in the world of medtech. The update relates to Evolver’s whitepaper on the SEC’s updated guidance regarding disclosure of materials risks and cyber incidents.
And the disclosing begins.
A small medical device company, Inogen, Inc., reported “an unauthorized individual may have gained access to personal information belonging to some Inogen rental customers including their name, address, telephone number, email address, date of birth, date of death, Medicare identification number, insurance policy information, and/or type of medical equipment provided.” This disclosure was provided in their SEC Form 8-K report.
It has been almost two months since the SEC released its Commission Statement and Guidance on Public Company Cybersecurity Disclosures. This guidance significantly changed how the SEC sees public companies disclosing future cybersecurity risks. We addressed this change in our paper Reflections on the SEC’s Guidance: The Rise of the Investor in the Discussion that described how the guidance calls for a move to a detailed, monetary quantification of cyber risks and the disclosure of this information in regular disclosure reports.
So what is the general reaction to this guidance? Having met with several companies, industry seems to be moving from the confusion stage to the realization the guidance from the SEC is not really that unreasonable. Several major risk experts have weighed in on the topic and provided some really solid thought leadership. I believe this webinar by Jack Jones, Tips on SEC Cybersecurity Guidance, from the FAIR Institute provides a good summary of steps ahead.
Jack uses the webinar to answer several key questions regarding the growing list of requirements for public companies. These include:
- Potential risk factors companies will have to disclose to their investors.
- Company assets that have value/liability characteristics which can encourage threat actors to attack.
- Example scenarios where threat actors can leverage vulnerable assets against a company’s investors.
- Definitions of the materiality threshold which would compel a company to disclose potential cyber risk or incidents.
- Next steps for companies who need assistance in identifying vulnerable assets and assessing risk to prepare for disclosure.
The other interesting feedback we have received from several of our clients is that the guidance from the SEC is actually the cornerstone of a good cybersecurity program. How do you decide how much and where to spend money if you do not know the quantified risks you are trying to mitigate? The question that seems be at the forefront of this discussion is how do you get a program of this type started and, after you have results, how much do you disclose to the public?
The Inogen report is fairly straightforward as they have had an incident. The report, however, just says an unauthorized individual had access to sensitive information, not that it was shared or extracted from the company. As Inogen makes oxygen tanks, they are not your normal major corporation that shows up on the front page of the newspaper. With the new SEC guidance, companies such as Inogen are reporting to meet the guidance. From a response perspective, Inogen has also met most expectations as to timely reporting of a potential breach through their SEC disclosure.
Interestingly, there are two things in the Inogen disclosure that caught my attention. First was whether the incident qualifies as a “material event” in the context of the SEC guidance. The second is the mention that Inogen had insurance but that it is limited and may not cover this event. Trish Carreiro, a lawyer from Axinn, Veltrop & Harkrider, gives a good summary of the insurance issues associated with the rising number, and nature, of attacks. Trish and I recently did a webinar on this topic that you can view here.
Where the issues are going to get more challenging relates to the SEC guidance on reporting of future risk. If no event has occurred, how do you report the risk of what might happen? This is where the integrating of cyber technical and business functions of corporations is going to be essential. As more reports begin to get filed, this will be the area to watch.
Evolver Vice President Chip Block will be discussing SEC reporting at the National Association of Corporate Directors Research Triangle Chapter event on May 15, 2018 in Durham, NC.
