Auditor’s Report Indicates that Cybersecurity Disclosures May Be Protected Under SOX
This past month, Ernst & Young (EY) released a report further demonstrating how cybersecurity has affected public corporations and the way they do business. As we have previously written, cybersecurity issues often also implicate securities law, and EY’s report confirms that information security has become an entrenched component of how corporations run their businesses and what they disclose to the public. CEOs ranked national and corporate cybersecurity as the top global challenge to business growth and the global economy, according to the report. The very fact that audit firms like EY and regulators like the SEC are tracking and researching corporations’ cybersecurity efforts with such vigor reflects this reality.
It is important for whistleblowers who report information security concerns to understand that they are not just disclosing threat vulnerabilities, non-compliance with privacy requirements, or anemic IT resources – they are also reporting business practices that investors and regulators want to know about. Because of that, cybersecurity whistleblowers may be protected under existing anti-retaliation laws despite the lack of a whistleblower provision that specifically protects information security disclosures.
Key takeaways from the EY report include:
More companies are addressing cybersecurity in their public filings and statements;
Companies are disclosing more about their cybersecurity practices, with an emphasis on board oversight practices;
Cybersecurity is becoming increasingly integrated with business processes and operations, from product releases to business deals; and
Most investors want to know about companies’ cybersecurity practices.
The report shows just how prolific cybersecurity disclosures have become in corporations’ public filings, indicating how firmly entrenched these risks have become to assessing a business. EY reviewed communications to investors from dozens of Fortune 100 companies and found that nearly 9 out of 10 companies made cybersecurity-related disclosures. The report also found the number of companies making such disclosures had increased. Disclosures have also grown more specific. Nearly all companies disclosed efforts to manage and lessen cybersecurity risk. Slightly more than half the companies disclosed response planning, disaster recovery, or business continuity concerns. In both years, however, only nine percent reported that cybersecurity risk preparedness preparation includes simulations (such as pentesting), although EY advises that simulations are a necessary component of risk preparedness that boards should prioritize.
In our practice, we have witnessed the evolution from corporations’ old view of information security as a cost center of secondary importance, to an embedded part of business processes. In the past, sales teams used to view cybersecurity issues as a nuisance or disregard them entirely. Now, business operations are often driving positive change as they have come to understand that customers demand adequate cybersecurity from those who will receive their sensitive information. Closing deals often requires making contractual commitments to information security and data privacy. Cybersecurity is now even being viewed as a selling point in a business climate that is increasingly cloud driven. Cybersecurity’s integration into every aspect of business is perhaps most visibly seen through its impacts on corporate boards. Now, more than half of companies list cybersecurity as an area of expertise sought on the board or listed in a director biography, according to the EY report.
Equally important is the report’s confirmation that investors want to know about information security and consider cybersecurity practices when evaluating firms. The EY report found that most investors believe cybersecurity is a necessary part of risk oversight. When asked about top risk issues they raise with companies, 61 percent of investors said cybersecurity, regardless of sector, is among the top risk issues they raise. Investors specified that board oversight, how directors develop skills related to cybersecurity, management’s approach to cybersecurity risk, and data privacy compliance were key concerns. In other words, investors have become attuned to the impact that cybersecurity can have on a business’s profitability in today’s world, and so information security naturally has become material to investors.
The fact that corporations are reporting on cybersecurity and that investors are considering cybersecurity in the total mix of information they weigh in making investment decisions are key observations to potential whistleblowers. The Sarbanes-Oxley Act (SOX) protects whistleblowers who report what they reasonably believe to be violations of securities laws, including shareholder fraud, and a factual misrepresentation or omission that would be important to investors is a key ingredient of shareholder fraud. Thus, reporting deficient cybersecurity practices that contradict a company’s public claims may be protected under SOX.
Before you blow the whistle, consider:
Would investors want to know about this issue?
Has the issue been excluded from public disclosures?
Does the issue relate to other issues included in public disclosures?
Are public disclosures on the issue incomplete?
Is the issue one that directly relates to cybersecurity risk?
If the answer to any of these questions is yes, your disclosure of a cybersecurity misrepresentation or omission may be protected under SOX. However, whether any specific disclosure could be protected from retaliation requires an analysis of the facts and law, so cybersecurity whistleblowers would benefit from contacting an experienced attorney for advice.