Craig A. Newman and Daniel L. Stein are litigation partners with Richards Kibbe & Orbe, the New York-based law firm. Mr. Newman also serves as chief executive of the Freedom2Connect Foundation, a nonprofit group focused on promoting Internet freedom through the use of technology. Mr. Stein is a former federal prosecutor.
Cyber threats against American corporations and financial institutions are growing in frequency and intensity, so much so that Defense Secretary Leon E. Panetta recently invoked the specter of a “cyber-Pearl Harbor.â€
By suggesting the possibility â€" even likelihood â€" of such a devastating attack, Mr. Panetta has made it clear that the danger facing our country is unambiguous. Unfortunately, the same cannot be said about the roles and responsibilities of corporations that are victims of cybercrime.
Amid the current wave of attacks, corporations are faced with conflicting, and often irreconcilable, demands â€" creating significa nt concerns for both corporate leaders and investors.
Thanks to the public efforts of Senator John D. Rockefeller and others, corporate America can no longer say that it hasn't been warned. Law enforcement officials, led by Preet Bharara, the United States attorney in Manhattan, have made a full-throated plea for cooperation from victimized corporations.
Yet, companies facing these crimes confront a quandary. To avoid tipping off perpetrators to a continuing investigation, law enforcement officials often rightly encourage â€" or even demand â€" that companies keep confidential the fact that they've been victimized. But executives and corporate boards also have a duty to the public markets and investors to provide prompt information about material risks to their businesses.
After all, a company whose data security is breached could lose critical trade secrets in a matter of seconds. For start-ups, or other companies whose values are largely made up of int ellectual property or other intangible assets, a cyberattack could be devastating. A company's value could disappear with the click of a mouse. If such a company were to not disclose to the public that such an attack had occurred â€" even if the nondisclosure stemmed from the insistence of law enforcement â€" investors in that company will be deprived of material information.
Even if a victimized company discloses an attack, it would be difficult for management to cooperate with law enforcement while facing money managers and investment advisers, who owe it to their clients to ask tough questions of an attacked company. Without getting straight and candid answers to those tough questions, they lose the ability to monitor their investments and, indeed, risk watching their investments lose critical value while law enforcement investigates.
The tension between the demand for discreet cooperation and the obligation to inform investors and the markets has created an untenable and dangerous dilemma for companies. Unfortunately, the S.E.C. has provided little direction to corporate leaders confronting these conflicting demands. Securities laws do not say, one way or another, when an intrusion requires disclosure.
Last fall, the S.E.C. issued “guidance†to companies on when to disclose an incident to investors. But the S.E.C.'s guidance is just that. It is not a rule or regulation, nor is it mandatory. Fundamentally, the S.E.C.'s guidance does not speak to the competing demands placed on a victimized corporation to cooperate with law enforcement.
The solution is not simple. Some have suggested that the S.E.C. should adopt a regulation giving corporations a “pass†from public disclosure obligations if they refer the matter to law enforcement. But such a rule could easily be abused.
When a corporation is faced with an online attack, and the potential legal exposure and the risks to its reputation and stock price, its executives have a powerful incentive not to go public. It could prove irresistible for a victimized corporation to make a half-hearted referral to law enforcement and then use the proposed S.E.C. regulation as a fig leaf to avoid an embarrassing â€" and potentially devastating â€" disclosure.
And, once a disclosure to law enforcement is made, the company is likely to get little information about the status or progress of any investigation. Can a company that reports an attack to law enforcement, and then hears nothing for weeks or months, continue to keep information about the attack from investors? At some point, a company will have to conclude that its duty to investors overrides its responsibility as a good corporate citizen to comply with requests for discretion.
There is no doubt that everyone is working to prevent the “cyber-Pearl Harbor†that Mr. Panetta is predicting. But the absence of clear direction from securities regulators means that, with every new cyberattack, there is an increasing likelihood of devastating fallout for companies, their investors and our financial system. But unlike the attacks themselves, this outcome is not inevitable â€" if the S.E.C. steps forward and brings clarity to the competing demands of cooperation and disclosure.
