Tag Archives: adobe

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

Another Reason to Ax Performance Ratings

A developing trend in the workplace is to eliminate traditional performance ratings and rankings, a process that is almost universally derided by managers, employees and human resources professionals alike. Finally, executives are capitulating to overwhelming evidence that rating people not only fails to improve their performance but also actually lowers productivity and destroys morale. An added benefit of the trend will be improved mental health among employees.

Author Garrison Keillor famously described his fictional hometown, Lake Woebegone, as “a place where all the women are strong, all the men are good looking and all the children are above average.” That description is not terribly different from the way American businesses and employees perceive themselves—above average. As a company recruiter, I always strove to attract and hire the “best of the best,” “A-players” and “superstars,” those who fit the company’s image as a place with only the very best employees.  

And yet, the typical performance management system in America forces managers to rate employees on a scale of one to five, and suggests—strongly suggests in some companies—that those ratings be distributed on a bell curve. That means fully 70% of employees are rated simply “average.” The result? Conflict and stress. Many of the most emotionally charged conversations I’ve had with employees as an HR professional emerged from their distress over the numerical rating that their supervisors had assigned them during a performance review.

Rating people is fraught with stress for everyone involved. In their 2014 article in Strategy + Business, David Rock, Josh Davis and Beth Jones, researchers at the Neuroleadership Institute, explained that giving employees a numerical rating produces a “fight or flight” response in people, “the same type of ‘brain hijack’ that occurs when there is an imminent physical threat like a confrontation with a wild animal.” Not only is rating and ranking employees difficult, it’s expensive. An estimated $14 billion are spent annually on leadership development, which includes training managers to assess and differentiate employees’ performance. Despite that investment, managers are notoriously bad at conducting performance reviews. In one study almost half of the employees surveyed stated they did not believe their managers were being honest during the performance review. One oft-quoted manager at Adobe called it “a soul-crushing exercise.”

As business leaders seek to stop wasting time on a failed system, the trend to reengineer performance reviews is gaining momentum. The number of Fortune 1000 companies that have ditched ratings has risen from just 4% in 2012 to 12% in 2014, according to CEB.

The goal of performance reviews, as it always has been, is to improve the company’s business results. Eliminating ratings will succeed on two fronts: alleviate a key source of workplace stress, and in turn, improve company performance.

life insurance

Selling Life Insurance to Digital Consumers

When we started PolicyGenius, an independent digital insurance broker, last summer, we braced ourselves for a high-speed education on the finer points of the consumer insurance market–and boy did we get it. We previously consulted for the industry, but even that doesn’t prepare you for all the work that happens on the ground, like filing for licenses on a state-by-state basis, or spending a holiday manually preparing and sending out illustrations because of a last-minute surge in quote requests. (Or dealing with fax machines.)

But learning all the nuances, even the bewildering ones, has been an amazing experience. It’s exciting to be involved in an industry right at the start of its transformation into the next phase of doing business.

We hung out our digital shingle in July 2014, and thanks to our smart shopping and decision-making tools, as well as some extremely positive exposure from the national media, we’ve enjoyed 30% month-over-month growth in our user base.

In the process, we’ve had 12 months to learn a lot about the modern digital insurance customer. Here are six takeaways that agents and carriers can benefit from.

1. Babies are still the No. 1 trigger for buying life insurance–which means there’s still plenty of opportunity to educate consumers about other equally important life events.

It’s no surprise that having a baby motivates a person to buy life insurance. Our own data shows that among customers who take our Insurance Checkup (our online insurance advice tool), the number of those who already have life insurance jumps by 20% if the customer has a child.

In a survey we commissioned last year, we found that consumers place insurance fourth in line behind saving for retirement, paying off debt and following a budget. Life insurance should be a key part of any long-term financial strategy, but a lot of people still don’t realize that. The survey also suggests people don’t recognize the financial challenges that accompany other big life events like marrying, buying a home, starting a business or becoming a caretaker for aging parents.

Our takeaway: Buying life insurance for your baby is a given. Now we need to focus on bringing these other invisible triggers to our customers’ attention.

2. Couples do it together.

A State Farm survey a few years ago found that 74% of people rarely talk about life insurance, in part because it’s an uncomfortable subject to bring up with one’s spouse. But we’ve repeatedly seen one half of a couple begin a life insurance application with us, and then shortly thereafter we get an application for the other half. In fact, around 20% of our life insurance applications have a partner application associated with them.

Our takeaway: Once an applicant sees how easy we’ve made it to shop for a policy, she decides to take care of her partner’s policy while she’s at it. It saves time, and it prevents couples from having to talk about the subject too much or revisit it again any time in the near future.

3. Digital insurance consumers are thoughtful shoppers who appreciate honest advice.

Our average customer spends 9 1/2 minutes exploring her PolicyGenius Insurance Checkup report. According to Adobe’s Best of the Best Benchmark report from 2013, the average time spent on a site in the financial services category is just more than six minutes!

Our takeaway: If you give the customer intuitive educational tools and advice tailored to her financial needs, and you don’t ask for anything intrusive in return (like a phone number), she’ll become more engaged.

We’ve seen this later in the shopping cycle, too, when customers look into the reputations of prospective insurance companies. But more on that below.

4. Digital insurance consumers are happy to do most of the work on their own.

If you’ve been a part of the insurance industry long enough, you’ve probably heard the saying, “Insurance is not bought; it’s sold.” In other words, industry veterans believe that you have to sell (and often pressure) consumers, who wouldn’t otherwise purchase on their own.

We founded our company on the theory that this isn’t true, and now we know that there are people out there who independently come to the conclusion that they need life insurance. We’ve found that customers who come to our site want to go all the way through the application process on their own, with no agent intervention. They self-navigate through decisions about coverage and carrier selection on our site, using the jargon-free content and tools we’ve built to make the path easy. It may not be as easy and fast as buying a pair of shoes from Zappos, but we’ve worked hard to make the process reliable and trustworthy.

But not every self-serve life insurance experience is smooth, which is why it’s important to have human help when needed. One client told us in a follow-up thank you that it was “comforting to have someone on my side in evaluating different insurance carriers and working to get me approved when the first insurer turned me down.”

Our takeaway: If you make insurance easy to shop for, you don’t have to focus so much on the hard sell.

5. Digital insurance consumers are not just Millennials.

Everyone likes to talk about the Millennial consumer these days, but we’ve discovered that the digital insurance consumer isn’t defined by any one generation. It’s true that Millennials (< 35) make up about 50% of our user base; however, Baby Boomers (50+) make up 20% of our user base, and Generation X (35-50)–who spend more online than Boomers do, according to a recent BI Intelligence study–fill out the rest.

Our takeaway: To reach such a wide range of online consumers, we have to focus on values that have universal consumer appeal–honesty, speed and self-service that’s backed by amazing customer support.

6. Insurer financial strength and reputation are important.

When you’re shopping online, you’re used to seeing reviews and ratings. It’s one of the ways online consumers compare products or services that they can’t see face to face.

Customers frequently ask us for insurance company ratings and customer reviews. And they ask for help choosing a carrier when all the ones they’re considering have approximately the same rating, or if customer reviews are inconclusive. We’ve been asked, “Who is the largest insurer or has been around the longest? I don’t want anyone that will go out of business.”

They take financial strength ratings, brand strength and reviews seriously, and factor them in when deciding which policy to buy. It’s so important that we’ve added one-page “report cards” into our life insurance quoting process to help answer these questions.

Our takeaway: Insurance companies don’t have to worry about digital platforms like ours commoditizing their policies and encouraging consumers to shop only on price. While price is important, it’s not the only factor that consumers consider when buying a life insurance policy.

As an industry, we still have a lot to learn about selling insurance to the digital consumer. And as an online broker, we’re still learning valuable customer insights from fellow brokers and agents throughout the industry. It’s true that everything we’ve learned in the past year has helped us confirm many of our initial propositions, but it’s also helped us better understand how to win over today’s insurance shopper. We can’t wait to see what the next 12 months brings.

It’s Time to Toss ‘Rank and Yank’

When executives don’t perform well, sometimes they’re fired. But when the company’s merit rating system doesn’t improve employees, do you fire it, too?

If you’re Accenture CEO Pierre Nanterme, you do. That’s right, he fired ‘rank and yank.’

There will be no more annual performance reviews at Accenture — a decision that employees wholeheartedly support, according to their responses on Facebook, and the Washington Post, whicho broke the story.

This wasn’t the first time in recent memory that rank and yank was given the boot.

Earlier this year, GE and Deloitte largely eliminated their annual review processes, too. They followed Adobe, which blazed the way in March 2012.

If the unintended consequences of annual performance reviews haven’t yet hurt your business, consider yourself fortunate. But if your organization is one of the millions of businesses that have not fundamentally improved people — effectively making employees worse off today than they were when they first came to work for you — you owe it to yourself and your employees to rethink how you reward and improve people.

The Unintended Consequences

Dr. W. Edwards Deming first suggested eliminating the annual performance review 50 years ago. Deming called it “a disease that annihilated long-term planning, demolished teamwork, left people crushed, bruised and despondent and unable to comprehend why they were inferior.”

Today, with fewer than 40% of employees feeling as though they matter at work, is there much data from which to disagree?

Probably not.

While Deming’s comments certainly weren’t popular with mainstream American leadership, they have resonated loudly with millions of employees.

One thing Deming frequently talked about is systems thinking and how it relates to rank and yank and improving people and their productivity.

Output Equals Input

A Formula One race car running at peak performance maximizes the engine and transmission to generate both horsepower and torque as it speeds along the track. But other components of the system also contribute greatly to the race car’s success or demise.

For example, the conditions of the track can vary based on the weather. Heat, cold, humidity, wind and other climatic conditions all affect racing, creating the need for differing types of tire compounds and race car setup. The speed at which a team can change tires also goes into the mix.

So which element is most likely to propel the car to victory?

All of them. None of them stands alone. This is precisely the point behind systems thinking. The sum of the parts is far more important than individual components.

A System of Profound Knowledge (SOPK)

In Deming’s System of Profound Knowledge, he promoted the idea that a system of production had four key elements that were necessary to improve and transform an organization.

  1. Appreciation of a system
  2. Knowledge of variation
  3. Theory of knowledge
  4. Psychology

All four elements needed to be thoroughly understood by leadership to materially improve production rates, create greater operating efficiencies and, most importantly, improve people on a continuum.

The Element Of Psychology: Destroying the Entire Herd

The original thinking behind the merit rating system was that ranking employees — one against another — would bring the cream to the top, and separate the butterfat from the buttermilk. But the system as we know it has not only spoiled the milk but destroyed the herd used to produce it.

In addition, the merit rating system does little to improve a system’s performance. While a handful of employees might “feel” able to produce more goods and services for a few days following favorable performance reviews, the fact is, over the long haul, this isn’t true.

The Element of Variation and a Bunch of Red Beads

In his famed red bead experiment, Deming destroyed the fallacy that different people, doing the same thing over and over again in a standardized production process, would yield markedly different results. And the variation in output was predictable to near certainty.

During Deming’s experiments, he first established a standardized process. Employees would use the exact same machinery, methods and materials to perform his experiment. The only difference was the person performing the process. Deming, in fact, often used company executives to be production workers for a day.

The goal was to make white beads, of the highest quality and at the fastest rate.

So, pay for performance, maximize output, separate the wheat from the chafe and men from the boys, right?

Wrong!

Mixed within the white beads would be problems, represented by red beads. Executives would reach down inside a container to pull out white beads, and red beads would be mixed in.

Deming compared the white-bead production of each executive, and they were astonished when they couldn’t outproduce one another on a meaningful basis, no matter how competitive they were or how much encouragement or punitive action they received from Deming or other team members.They were all impaired by the wasteful red beads that kept popping up.

Deming’s simple example of controlled variation showed thousands of executives that merit ratings were ineffective tools at improving human productivity, and improving humans themselves.

To increase production, what was needed was a different way of doing things. A systemically better way. One that used an entire team’s talents and knowledge to find the root causes behind production problems. Knowledge and talents that could be used to improve the system while getting to the bottom of the causes of the red beads.

Deming promoted a system of win-win. One that helped any man or woman working within a system get dramatically better psychologically, not intrinsically worse emotionally. A system that avoided using one man’s talents to destroy another man’s ego — or perhaps even “annihilate it,” as Deming suggested was happening throughout American culture more than 30 years ago.

The Importance of Knowledge

Harvard sociologist Chris Argyris defined learning as “the detection and correction of errors.” Deming suggested that man’s long-term need to learn — an intrinsic motivator — far outweighed the extrinsic rewards and short-term benefits from his financial success.

It was within this context that Deming talked at length about knowledge, psychology, variation and systems thinking and their respective impact on people, productivity and engagement. All aimed directly at improving the conditions in which employees work.

Individuals Vs. Team-Based Merit

Many employees will be happy to see you yank old rank and yank. Especially those who — according to your merit rating system — are indispensable performers one year but dispensable slugs the next.

It’s time to revisit the ideas behind systems thinking and how it can improve man on a continuum.

I rarely use the word “terminate.” But if firing, or simply “laying off” the merit rating system for a while will bring about the good change we need to improve people and profits simultaneously, let’s bring about its pink slip.

Cybersecurity: Five Tips on Disclosure Requirements

With annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe — the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next “Target” for a serious cybersecurity incident. Consequences typically include negative publicity, reputational damage that hurts customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations — and falling stock prices. In the wake of its high-profile data breach, Target’s directors and officers were hit on Jan. 29, 2014, with a shareholder derivative action alleging that “Target shares were trading above $63.50 on Dec. 18, 2013, before the news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has suffered considerable damage from breach.”1

In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well-advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that hurts the company’s stock price — or, at a minimum, may mitigate a company’s potential exposure in the event of such litigation.

The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures. Below are five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures:

SEC Disclosure Guidance

By way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber incidents,” the SEC issued cybersecurity disclosure guidance,2 which advises companies to review, on a continuing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.3

While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. 

SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure obligations in response to an April 9, 2013, letter received from Senate Commerce Chairman Jay Rockefeller.4 In his letter, Chairman Rockefeller urged the SEC to “elevate [its] guidance,” noting that “investors deserve to know whether companies are effectively addressing their cybersecurity risks.” In response, Chairwoman White emphasized that “[e]xisting disclosure requirements … impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material” and that “cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations.”5 Chairwoman White also highlighted that cybersecurity risk “is a very important issue that is of increasing concern” and stated that the SEC “continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity.”

In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.6

Although the guidance does not add cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that hurts a company’s stock price.

The Five Tips

The following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments issued to approximately 55 companies over the last two years.

1. Perform a cybersecurity risk asssessment. The SEC staff states in its guidance that it expects companies to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents as well as the adequacy of preventive actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware. To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company’s business. In addition to positioning the company to provide adequate cybersecurity risk factor disclosures, the undertaking of a risk assessment is consistent with the National Institute of Standards and Technology’s recently released Preliminary Cybersecurity Framework.7 At a high level, it provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices and to identify gaps that should be addressed to progress toward a desired “target” state of cybersecurity risk management.8 Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management.

2. Consider disclosing prior — and potential — breaches. To the extent a company or one of its subsidiaries has suffered a reported or known cybersecurity event, the company should anticipate that the SEC may issue a comment letter if the event is not disclosed. The following comments are typical of what a company might expect to see: 

  • We note that [your subsidiary] announced on its website that a cyber attack occurred during which millions of user accounts were compromised. Please tell us what consideration you gave to including expanded disclosure consistent with the guidance provided by the Division of Corporation Finance's Disclosure Guidance Topic No. 2.
  • We have read several reports of various cyber attacks directed at the company. If, in fact, you have experienced cyber attacks, security breaches or other similar events in the past, please state that fact to provide the proper context for your risk-factor disclosure. 

​Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company’s risk-factor disclosure be expanded to state generally that the company has been the victim of hacking — regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form):

  • We note your response that the incident did not have a material impact on the company’s business. To place the risks described in this risk factor in appropriate context, in future filings please expand this risk factor to disclose that you have experienced cyber attacks and breaches.
  • You state that you have not experienced a material breach of cybersecurity. Your response does not appear to address whether you are experiencing any potential current business risks concerning cybersecurity. For example, despite the fact you believe you have not experienced a material breach of your cybersecurity, are you currently experiencing attacks or threats to your systems? If you have experienced attacks in the past, please expand your risk factor in the future to state that.
  • We note that your response suggests that you have, in fact, experienced third-party breaches of your computer systems that did not have a material adverse effect on the company’s operations. To place the risks described in your current risk factor in appropriate context, in future filings please expand your disclosure to state that you have experienced cyber attacks and breaches.

​In addition, the SEC’s guidance advises that companies may need to disclose known or threatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be affected by a cybersecurity incident — even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures:

  • We note press reports that hotels and resorts are increasingly becoming a target of cyber attacks. Please provide risk -actor disclosure describing the cybersecurity risks that you face. If you have experienced any cyber attacks in the past, please state that fact in the new risk factor to provide the proper context.
  • Given that other companies in your industry have actually encountered such risks from cyber attacks, such as attempts by third parties to gain access to your systems for purposes of acquiring your confidential information or intellectual property, including personally identifiable information that may be in your possession, or to interrupt your systems or otherwise try to cause harm to your business and operations and have disclosed that such risks may be material to their business and operations, please tell us what consideration you gave to including disclosure related to cybersecurity risks or cyber incidents.
  • We note that the incidences of cyber attacks, including upon financial institution or their service providers, have increased over the past year. In future filings, please provide risk-factor disclosure describing the cybersecurity risks that you face. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks to provide the proper context for your risk-factor disclosure.

3. Be specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk-factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure. Companies that offer generally applicable statements may expect to receive comments such as the following:

  • You state that, “Like other companies, our information technology systems may be vulnerable to a variety of interruptions, as a result of updating our SAP platform or due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers and other security issues.” Please tell us whether any such events relating to your cybersecurity have occurred in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosure.
  • We note that you disclose that you may be vulnerable to breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events. Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosures. 

4. Remember that a vulnerability “road map” is not required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company’s cybersecurity. At the outset of its guidance, the SEC staff states that it is mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a “road map” for those who seek to infiltrate a company’s network security — and that disclosures of that nature are not required under the federal securities laws. The SEC guidance later reiterates that the federal securities laws do not require disclosure that itself would compromise a company’s cybersecurity.

5. Consider insurance. Network security alone cannot entirely address the issue of cybersecurity risk; no firewall is unbreachable, and no security system is impenetrable. Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC’s guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing cyber and data privacy-related insurance products, which can be extremely valuable.9 In the wake of a data breach such as at Target, for example, a solid cyber insurance policy may cover not only liability arising out of potential litigation, such as defense costs, settlements and judgments, but also breach-notification costs and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties. Recent SEC comments have requested information regarding both whether the company has obtained relevant insurance coverage as well as the amount of the company’s cyber liability insurance.

Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.

1 Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.

2The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”

3SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

4The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51

5Chairman White’s May 1, 2013 letter is available at http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White. pdf

6While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”

7The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.

8Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013), available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/

9 Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at http://www.klgates.com/before-becoming-the-next-target–recent-case-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/