Please find below a U.S. securities law update on: 1) market developments in the SEC’s regulation of social media; and 2) the Willis Fortune 500 Cyber Disclosure Report. The Forum’s alerts are intended to keep you up to date with recent legal news relevant to a capital markets practice in the London and international markets. We continue to welcome any feedback regarding our alerts.
Companies Caught Out by SEC Social Media Regulation
Carl Icahn’s inaugural tweet on June 20, 2013 proudly exclaimed that “Twitter is great. I like it almost as much as I like Dell.” Unfortunately for the billionaire, who is currently engaged in on-going efforts to thwart a $24.4 billion management buyout of computer maker Dell, he was promptly advised by his lawyers to make a regulatory filing with the U.S. Securities and Exchange Commission (SEC) alerting Dell’s investors to the tweet, on the basis that it could be viewed as soliciting votes against the deal. The tweet fell under the broad umbrella of proxy solicitation given that he is seeking votes against the proposed buyout of the company led by founder Michael Dell.
The incident is evidence of the growing disparity between SEC regulation and corporate social media policy. The SEC fuelled fears of a social media crackdown in December last year when it threatened to sue Netflix over a Facebook post by its CEO which caused an immediate spike in the company’s share price. The commission warned that Netflix may have violated Regulation Fair Disclosure, which requires companies to disclose material information publicly, rather than to a closed set of investors, analysts or insiders.
The SEC issued a report in April clearing up its social media policy, though companies still remain cautious in their attitude to social media. The Commission allows companies to use social media as long as they first tell investors where to look, but many are sticking to more low-tech ways of announcing information. In January, Zipcar also filed a Form 8-K following a tweet by CEO Scott Griffith detailing its acquisition by Avis Budget Group Inc. The filing was also due to concern over the SEC’s proxy solicitation rules.
The Willis Fortune 500 Cyber Disclosure Report, 2013
As part of the Obama administration’s commitment to combatting cyber crime, the SEC issued guidance in 2011 to U.S.-listed companies relating to extensive disclosure on their cyber exposures. Most U.S. public companies began complying with the SEC’s guidance in 2012 and their disclosures are attracting attention from firms and companies worldwide, who are looking to understand the risks in their international portfolios.
The SEC hopes the guidance will provide investors with meaningful material pertinent to the buying, holding, or selling of a company’s stock. In particular, recommended areas of focus include aspects of the firm’s business or operations that give rise to cyber security risks, exposure relating to outsourcing procedures, risks relating to incidents that can remain undetected, and descriptions of specific material cyber security incidents that have occurred.
Insurance broker Willis views the SEC’s guidance as a game changer, and has analyzed company disclosures in their 2013 report, the Willis Fortune 500 Cyber Disclosure Report. The study found that 85% of Fortune 500 companies are following the SEC guidelines, although almost 40% of companies reviewed did not provide substantial detail on the size or nature of their exposure, the specifics requested by the SEC being “mostly absent”. Significantly, 15% of companies indicated that they did not have the resources to protect themselves against critical attacks.
The study’s top three risks were loss or theft of confidential information (identified by almost two thirds of all companies), loss of reputation (identified by half of all companies) and direct loss from malicious acts such as hacking and viruses (identified by almost half of companies). The report also looked at industry groups and found the banking, professional services and software sectors to be the most risk averse, while consumer finance, beverages and the capital markets sectors had the lowest average exposure index figures.
Just 6% of companies mentioned that they purchase insurance to cover cyber risks, although another recent survey by Chubb placed this number at 35% of public companies. The Chubb survey also found that a quarter of companies are expecting a cyber breach in the coming year and that 71% have cyber breach response plans in place. Companies that have purchased insurance to cover cyber risks appear to be concentrated in the financial, media, utility and energy sectors.
In order to bolster its findings, Willis is already working on a follow up study focusing on specific sectors identified by the U.S. government as “critical infrastructure”, as well as an examination of the Fortune 1000.
To view the full Willis Fortune 500 Cyber Disclosure Report, 2013, please click here.