Cyber security disclosures leave shareholders in the dark

By Holly LaFon

Escalating cyberattacks against major U.S. companies, among them Sony Corp., Target and JPMorgan, have called into question whether regulators are requiring enough openness once an attack has occurred.

The issue doesn’t just affect consumers, whose credit card and other data may be at stake, but shareholders, who also have financial skin in the game.

Click to see timeline of attacks.

The concept at the heart of this is materiality, or any information that could impact a shareholder’s decision to buy or sell a company’s shares, according to Securities and Exchange Commission rules.

“How many breaches have material affects?” said Dr. Martin Loeb, University of Maryland professor of account and information assurance. “When a General Motors has a breach and they have to spend $150,000 to detect and fix the breach, that’s just a normal operating expense. So most don’t have a material effect, but there’s still a threat that a big breach could have a very major effect.”

In the now-notorious Target Corp. breach last December, the severity of the attack was not revealed until weeks later. The company’s shares fell by as much as 10 percent in the wake of the disclosure and as it became clear that spooked shoppers had stayed away from the retailer during the key holiday season.

For all of 2013, there were 1,367 confirmed data breaches and 63,437 security incidents among global organizations that participated in a 2014 Verizon Data Breach Investigations Report.

Though the SEC issued new guidelines in 2011 to help companies decide when they should disclose a hacking incident, the decision to do so is voluntary.

“In deciding the nature and extent of the disclosures, I would encourage companies to go beyond the impact on the company and to also consider the impact on others,” said SEC Commissioner Luis A. Aguilar in a June 10 speech in New York.

“It is possible that a cyber-attack may not have a direct material adverse impact on the company itself, but that a loss of customers’ personal and financial data could have devastating effects on the lives of the company’s customers and many Americans.”

The SEC urges companies to caution investors about their cyber security risks in their annual 10-K reports. This helps protect companies against potential lawsuits if something goes awry, and many more companies are including notes about such risks since the SEC issued the guidelines.

Yet many of the disclosures companies now offer in their annual reports amount to standardized, boiler-plate statements lacking in detail and leaving shareholders in the dark.

“It’s the worst because people will only do what the law requires and then they’ll stop,” said Jody Westby, CEO of Global Cyber Risk LCC, which advises executives on managing cyber risks in their businesses. “It gives executives cover because they can say ‘we met requirements; otherwise we’re wasting shareholder money.’”

Thus shareholders who do believe a board did not adequately defend against risks and attempt to sue may have more difficulty if they cannot definitively show that it failed to meet an SEC requirement.

By law, the SEC staff is required to review disclosures, including those about cyber security breaches, once every three years, though it reviews some companies more frequently. Staff correspond with companies regarding anything they finds that might not be clear enough for investors or that investors aren’t being told about. Once the issues are resolved, the agency publishes the letters on its website for the public to read.

David Katz, a partner at Wachtell, Lipton, Rosen & Katz in New York, whose work involves investing and corporate boards, does not believe that companies will only do the bare minimum the SEC requires because they believe that will be enough to protect it from lawsuits.

“That’s always a possibility,” he said. “I don’t think that’s the way boards of directors work in the real world. Remember that the SEC is focused on disclosure requirements, making sure there’s adequate disclosure. So I don’t think a company would simply say we made the right disclosure and we’re fine.”

Loeb said data breaches don’t always have a big impact on a company’s stock, even if it appears that way. Take the case of Target.

The retailer announced Dec. 19, 2013, that hackers had gained access to 40 million customers’ payment card data. The company’s shares ended the month up almost 2 percent. When it announced in January that the names, mailing addresses, phone numbers and email addresses of 70 million customers had also been stolen and reported the financial impact the breach was having on the company, shares fell by as much as 10 percent through February.

But Loeb said investors should look at the data in context.

“If you look at Target, its stock did decline, but there were other things happening, and it bounced back afterward,” he said. “At the same time that was happening they were doing poorly. They opened up a lot of stores in Canada and earnings and sales were less than expected. So compounding things were happening.”

In the same press release it announced the expanded data theft, Target also lowered its fourth quarter 2013 guidance range for its U.S. segment by 10 cents, citing dilution related to store closings, real estate impairments and losses at its Canadian segment, among other items. It did not at that time state estimated losses related to the data breach. The retail chain also said it had stronger-than-expected fourth quarter sales prior to the announcement of the data breach, followed by “meaningfully” weaker-than-expected sales since the announcement.

“The more breaches that get disclosed the more commonplace it becomes, so it’s less of an issue,” Katz said. “So you have to look at different companies. If a company’s going to really do damage over the long run to a breach, I think investors will take that into account.”

In another instance, JPMorgan, the largest bank in the U.S., announced on Oct. 2 a data breach that affected 76 million households and 8 million small businesses. Hackers stole names, addresses, phone numbers and email addresses, but not account numbers, passwords, user IDs, dates of birth or social security numbers.

JPMorgan’s shares ended the week up about 2.5 percent. When the company announced increased third quarter earnings that missed analysts’ expectations on Oct. 14, shares fell by almost 5% in the following two days.

JPMorgan CEO Jamie Dimon said the bank would double spending on cybersecurity following the attack. The company has not said whether the data breach has had additional business impacts.

Kmart stores fell prey to hackers this year as well. The company announced on Oct. 10 that malware had infected its system since early September, stealing debit and credit card numbers but no personal information, PIN numbers, email addresses or social security numbers. Shares of Sears Holdings, its parents company, closed up about 3.8 percent the following trading day.

Security breaches are worse for a company and its shareholders if they involve access to information critical to the company’s business, such as a customer list, or in the case of Sony Corp., upcoming feature-length movies critical to its future earnings.

In the wake of the Nov. 24 hack attack and unauthorized release of five movies, Sony shares are down 3.4 percent.

Loeb’s research showed that such a theft could dramatically reduce the company’s underlying value. Other kinds of attacks, such as those that stop a firm’s ability to conduct business temporarily, have less impact because the firm can continue business once it fixes the problem.

Katz argued that increased openness about attacks companies deemed immaterial could either cause unnecessary alarm or become so commonplace that investors no longer pay attention.

“I think you can take that too far,” he said. “There’s all sorts of risks companies face from plane crashes to executives to everything else… it should be more of an issue of the risk factors that can be disclosed so that investors understand that if there is a material breach, what could be the impact on the company’s business and what steps the company is taking to mitigate those risks.”

Westby said that companies are making more of an effort to inform shareholders of attacks, realizing that social media and instant communication prevent them from concealing big breaches as much as they used to.

“That said, those that are, they are being probably as broad and as general as they possibly can,” she said. “And nobody’s going under the covers.”