Cyber Attacks: Unsure About Disclosure

In recent years, the threat of cyber crime has become a staple of the news cycle. While most reports focus on threats to unwitting consumers, a recent New York Times article looked at the predicament facing publicly traded companies.

The authors point out that in the age where cyber threats are growing in number and sophistication, corporations are often the victims of cyber crimes. This situation, the authors contend, presents corporations with a difficult dilemma. On the one hand, they are encouraged to cooperate with law enforcement authorities, where premature disclosure may compromise investigatory efforts. On the other hand, corporations have a duty to inform investors about significant business risks. The risks are especially prominent where a company has significant intellectual property assets. In those cases a cyber attack may be fatal to the business, which militates in favour of prompt disclosure.

For these reasons, the authors contend, there is a need for clear disclosure rules with respect to cyber crime. Unfortunately, the US Securities and Exchange Commission (SEC) has done relatively little in that respect. Authors point out that the SEC has issued guidelines for disclosure, but failed to provide clear and binding rules. Notably, the SEC “has neither approved nor disapproved” the guidelines.

The authors briefly discuss one possible and undoubtedly only partial solution, which is to allow “corporations a “pass” from public disclosure obligations if they refer the matter to law enforcement.” The article points out that there is a strong potential for abuse if the rule were implemented. Corporate citizens are likely to rely on the rule to simply stave off disclosure for as long as possible because of its negative effect on consumer and investor confidence.

Concerns about potential abuse of the proposed solution underscore the important role fulfilled by the government in combating cyber crime. Foregoing disclosure can only be justified if it is assumed that the relevant law enforcement agencies can effectively address the issue. Investors and corporate leaders need to be assured that withholding information regarding material risks is justifiable in practice. Thus, if law enforcement is ill-equipped to deal with cyber crime, then delaying disclosure to facilitate an investigation starts to look less reasonable from an investor’s point of view.

In addition, rules regarding disclosure obligations have to take into account that corporate entities often operate in multiple jurisdictions. For instance, a cyber attack that takes place in Ontario may nonetheless affect investors in another province or even abroad. A particularly problematic scenario arises where one jurisdiction may demand that a company withhold information regarding an attack while another jurisdiction demands prompt disclosure. Therefore, a coordinated and uniform approach to disclosure rules and cyber security in general should be a priority.

A brief look at Canada’s cyber security strategy is reassuring as it reflects the foregoing concerns. Indeed, the Government explicitly recognizes intellectual property as an especially attractive target for criminals and provides guidelines for Canadian business for improving security. Canada’s strategy also places heavy emphasis on cooperation among local, provincial and international partnerships in improving online security. When it comes to effective law enforcement, the Government has established the Canadian Cyber Incident Center to assist non-government systems with security issues and committed $155 million over the next five years to improving cyber security capabilities.

The problems surrounding cyber attack disclosure rules for publicly traded companies have not been widely discussed or debated domestically. Perhaps Canada is waiting for the US to take the lead on the issue in order to implement a coordinated approach; or perhaps the current state of cyber security in Canada is still in its infancy, making the debate premature. Whatever the reason, the general strategy adopted by the Government is promising to the extent that it demonstrates awareness of the issues that will inevitably affect the shape of disclosure rules whenever the time is right to have that discussion.

Anatoly Zhitnik is a JD Candidate at Osgoode Hall Law School