As high-profile cyber-attacks become increasingly commonplace, incidences of non-compliance by target companies with reporting and disclosure obligations are being taken increasingly seriously by regulators. Companies find themselves juggling the complexities of these legal obligations, with the practical realities of responding to these attacks.
A recent attempt by hackers to exploit US company MeridianLink's disclosure obligations, following a failed cyber-based extortion effort, crystalised some of the risks faced by organisations in the wake of material cyber incidents.
MeridianLink
Following a purportedly successful attack on US-based financial software company MeridianLink earlier this month, ransomware gang AlphV/BlackCat, the outfit purportedly responsible for the attack, announced they filed a whistle-blower report to the US Securities and Exchange Commission (SEC) notifying the SEC that MeridianLink failed to comply with its disclosure obligations regarding the cyber incident.
This follows the SEC imposing new rules, which come into force next month, requiring companies to disclose "any cybersecurity incident they determine to be material" within four days after they decide it meets that threshold.
In the MeridianLink case, even if the materiality threshold was met, the relevant disclosure obligations are not yet in force. However, these events are a timely reminder for all organisations of the potential risks associated with not complying with relevant disclosure obligations.
Global context
Globally we are seeing regulators and law enforcement agencies increasingly taking enforcement action against breaches of cybersecurity notification obligations, with these agencies prepared to impose serious penalties for non-compliance.
Earlier this year, Uber's former chief security officer (CSO) was sentenced to three years' probation and ordered to pay a fine of US$50,000 and serve 200 hours of community service for covering up a 2016 cyber-attack that reportedly affected 50 million riders and drivers and obstructing a federal investigation. The CSO paid a US$100,000 ransom to the hackers in exchange for them signing non-disclosure agreements saying that they would not reveal the cyber-attack. Judge William Orrick said during the sentencing: "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison".
The SEC recently took action against software company SolarWinds and its Chief Information Security Officer for defrauding investors in the wake of a cyber-attack when it had failed to disclose allegedly known cybersecurity risks and vulnerabilities.[1]
The Australian Securities and Investments Commission (ASIC) has also warned that it will seek record penalties for breaches of market disclosure rules amid new findings that listed companies are acting illegally by failing to disclose material cyber-attacks.[2] Earlier this year, Australian start-up software company GetSwift was subjected to an AU$15 million fine for a breach of market disclosure rules. ASIC also fined two directors personally (for AU$1 million and $2 million respectively) in the GetSwift case.
This is in the context of research by University of Woolangong Professor Alex Frino that found that over the past decade, only 11 of the 36 cyber-attacks against ASX-listed companies reported by media were first disclosed to investors, notwithstanding that companies' stock fell an average of 4.6% once the information did become public.
Whilst these examples relate to breaches of continuous disclosure rules, there is further potential liability where a cybersecurity breach impacts personal information and triggers notification under applicable privacy laws.
Under the New Zealand Privacy Act 2020, a failure to report a notifiable privacy breach constitutes an offence, but fines are still relatively low (NZ$10,000) when compared to other jurisdictions, such as Australia and Europe where fines can run into the many millions of dollars. These sorts of breaches, and associated publicity, also naturally result in significant reputational damage and an erosion of trust.
Practical considerations
The cases above illustrate the difficult decisions faced by boards and management of listed companies when faced with a potential cyber breach.
Under the NZX listing rules a company has an obligation to release to the market "promptly and without delay" any information concerning it that a reasonable person would expect to have a material effect on the price or value of the company's securities, unless one of the safe harbours apply.
In this context, the key question facing a board will be whether the cyber attack is "material information". This is a challenging determination in what will often be a rapidly evolving situation where the nature and scale of the breach may not initially be obvious. It will often also involve weighing up the potential reputational and operational impacts of the breach, rather than simply the financial impact. Issuers may consider making use of trading halts where additional time is required in order to sensibly inform the market about the cyber attack.
Some of the key factors in determining the materiality of a cyber attack include the following:
-
Does the attack involve material amounts of personal information (this will likely be more acute for B2C businesses (especially businesses processing sensitive consumer information, such as health data or financial information) and even more acute where the company has operations in a jurisdiction where there are material financial penalties - eg the EU, UK or Australia)?
-
Has the attack compromised confidential proprietary assets (e.g., proprietary code, trade secrets or other assets protected by confidentiality) or other material company assets (eg financial assets)? Could there be latent damage caused subsequently through the use of compromised confidential information (eg subsequent leaks or insider trading risks)?
-
Has the attack impacted business continuity or operations, or does it have the potential to do so later (either imminently, or further down the track)?
-
Do the circumstances of the attack reveal poor security practices by the target?
-
Is it a repeat attack, suggesting a pattern of poor security practices that has not been remediated by the target?
-
Is there a risk of damage to the target's clients or other third parties material to the target's operations or revenue (eg an if IT managed service provider's client environments are compromised, or the risk of potential insider trading based on information held about clients which has been compromised)?
-
If known, does the identity or actions of the perpetrators suggest nefarious purposes? If the incident is simply caused by human error of the organisation's own personnel in circumstances where it can quickly be contained (and the underlying vulnerability remediated), with no harm caused to the organisation, then the incident is unlikely to be material.
Whether or not it is listed, a company that is subject to a cyber-attack will also need to consider whether the breach involves personal information, and if so, whether it may constitute a notifiable privacy breach which is required to be disclosed under mandatory breach reporting obligations under the Privacy Act 2020 or other privacy laws of affected jurisdictions.
For more information on this subject, please get in touch with one of our experts: Liz Blythe, Ian Beaumont or Joe Edwards.