If a company decides that it will not report certain information at this time, the company should do an exercise where it makes the assumption that the unannounced items do get announced. This exercise means that unannounced scenarios can’t be ignored. They must be seriously considered, if for no other reason than to improve the wording of what is being announced to the SEC.
“Any disclosure is a point in time. In the (enterprise) war room examining an incident, you are always thinking about what may happen,” says Justin Greis, a McKinsey partner who leads the firm’s cybersecurity work in North America. The court ruled that such incidents may not have to be reported but must be examined to see if they would meaningfully color current filings.
This is why companies should then take another look at the wording of what they are about to file to the SEC and see if the unannounced item would justify wording changes to prevent it from becoming misleading.
What the Supreme Court ruling changes for CISOs
The particulars of Friday’s case did not relate to cybersecurity. The case involved Macquarie Infrastructure and a securities fraud accusation because it failed to report to the SEC information about a United Nations fuel oil regulation that could have impacted the company’s revenue. The UN information was already public knowledge, so it was not an issue of Macquarie hiding the information as much as it chose to not highlight it in an SEC filing. It was sued by hedge-fund manager Moab Partners.
“The question in this case is whether the failure to disclose information required by Item 303 can support a private action under Rule 10b–5(b), even if the failure does not render any statements made misleading. The Court holds that it cannot,” the ruling said. “Today, this Court confirms that the failure to disclose information required by Item 303 can support a Rule 10b–5(b) claim only if the omission renders affirmative statements made misleading.”
Friday’s Supreme Court ruling “basically says that an omission in your S-K disclosures would be actionable only if it would have countered statements you did make. So, if you don’t feel like disclosing a risk, then also avoid making affirmative statements about things that the risk would compromise,” says Chris Cronin, a security consultant who serves as an expert witness for defense, plaintiffs, and regulators. “As a shareholder, I’m not happy about the now-clear instructions for hiding risks from your 10-K. The detail and comprehensiveness of appropriate cyber risk reporting was bound to be in contention without good examples and principles to guide filers. (The ruling) only hampers a portion of the cybersecurity rule that companies seem to be pretty bad at.”