Generally speaking, publicly traded homebuilders and other public companies must disclose material information in their SEC filings. “Information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information available.” Basic v. Levinson, 485 U.S. 224 (1988)
As the agenda of hackers and other criminals advances, so has the issue of cybersecurity, focusing on what risks exist in the company’s cybersecurity defenses and, if there has already been a data breach incident, whether the scope of the breach and the resulting adverse consequences (which may include regulatory investigations, SEC or FTC enforcement actions, securities class actions, and/or derivative lawsuits) is material and must be reported in SEC filings.
On October 13, 2011, the SEC’s Division of Corporation Finance (“Division”), published its Financial Disclosure Guidance: Topic No. 2 (Cybersecurity) (“Guidance”). The primary adverse operational and financial consequences of concern to the SEC include the following: (a) remediation costs; (b) increased cybersecurity protection costs; (c) lost revenues; (d) litigation; and (e) reputational damage. The Division advised registrants to consider the probability of cyber incidents and the “quantitative and qualitative magnitude of those risks” and advised that appropriate disclosures may include: (1) a discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and related costs and consequences; (2) a description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of costs and other consequences; and (3) relevant insurance coverage. Notably, the Guidance makes clear that the “federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity.”
Although there is no specific SEC rule addressed to the issue of cybersecurity or data breach disclosures, the Division’s Guidance explicitly states that the panoply of existing SEC rules and related disclosure requirements may mandate disclosure in any event. Homebuilders and other publicly traded companies need to be aware of the Division’s Guidance, particularly as the Division has critiqued companies to press them for better compliance with disclosure requirements, and done so more than 50 times since the Guidance was issued in the Fall of 2011, directing criticism at a number of Fortune 500 companies and beyond.
This is a significant issue, both in terms of the potentially far-reaching effects of any data breach and the risk of serious adverse impacts on the company, as Target’s December 19, 2013 data breach and its resulting February 26, 2014 SEC 8-K filing reveal. There, Target disclosed that: (1) “we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network;” (2) “we have a program…to detect and respond to data security incidents;” (3) “the techniques used to obtain unauthorized access…change frequently;” (4) “hardware, software or applications we develop or procure from third parties may contain defects;” (5) “all incidents we experienced” were “insignificant” until the fourth quarter of 2013; (6) “the breach we experienced was significant and went undetected for several weeks;” (7) “we experienced weaker than expected U.S. Segment sales immediately following the announcement of the 2013 data breach;” (8) “we are currently facing more than 80 civil lawsuits filed on behalf of guests, payment card issuing banks and shareholders;” and (9) “state and federal agencies, including State Attorneys General, the Federal Trade Commission, and the Securities and Exchange Commission are investigating…which may have an adverse effect.” (emphasis added).