De-Risking Your Risk Disclosures
De-Risking Your Risk Disclosures
Last week, the Ninth Circuit ruled in a securities case that a company’s disclosure of cybersecurity risk may be misleading if the risk had already materialized and the company did not disclose that fact.[1] In light of that ruling, companies should consider adding a disclaimer to their risk factor disclosures making clear that, by disclosing a risk, the company is not representing that the risk has not already materialized. If a previously disclosed risk has materialized, companies should avoid representing that there have been no material changes to their prior risk disclosures.
The complaint alleged that in February 2018, Alphabet, Inc. (“Alphabet”), the holding company of Google LLC (“Google”), filed its 10-K for FY 2017. In the “risk factors” section, it listed potential consequences in the event third parties were to breach Google’s cybersecurity measures and obtain access to its users’ private data.
The complaint further alleged that in April 2018, the Alphabet CEO discovered that a bug had exposed Google user data for a three-year period. The company did not disclose the breach at the time.
Further, it alleged that on April 23, 2018, and July 23, 2018, Alphabet filed 10-Qs, stating affirmatively that there had been “no material changes” to the risk factors set out in its 2017 10-K and made no disclosure about the data breach.
In October 2018, the Wall Street Journal published an article disclosing the breach. Alphabet’s stock price declined following the article. Three days after the article was published, securities fraud actions were filed against Alphabet, Google, their CEOs, and their senior executives. The District Court dismissed the plaintiffs’ consolidated complaint for failure to allege any material misrepresentation or omission and failure to sufficiently allege scienter. The plaintiffs declined to amend their complaint and instead appealed the decision.
The Ninth Circuit reversed. The panel found it plausible that a reasonable investor reading the 10-Qs would have been misled by the company’s representation that there had been “no material changes” in the risk factors into believing that Google had not discovered a data breach. The panel relied on the Securities Exchange Commission’s guidance regarding the adequacy of cybersecurity-related disclosures[2] as “judgments about the way the real world works” to inform its analysis of a reasonable investor’s perspective.
The Ninth Circuit distinguished its decision in a prior case where the defendant acknowledged that it was already experiencing challenges of the kind that were described in its risk disclosures.[3] The panel declined to follow the Sixth Circuit’s view that disclosing a risk does not imply that the risk has not already materialized.[4]
While drafting risk disclosures, companies must be especially careful about referring back to prior risk disclosures and stating that there have been no material changes. If any of the disclosed risks have materialized in the interim, plaintiffs may assert that the latter disclosures are materially misleading.
Companies should also consider adding language to their risk disclosures stating that investors should not interpret the disclosure of a risk to imply that the risk has not already materialized. If a risk has materialized, companies should consider updating their risk disclosures to state that the risk has occurred and may occur in the future.
[1] In re Alphabet, Inc. Sec. Litig., No. 20-15638, 2021 WL 2448223 (9th Cir. 2021).
[2] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Securities Act Release No. 33-10459, Exchange Act Release No. 34-82746, 83 Fed. Reg. 8166-01, 8167 (2018).
[3] Wochos v. Tesla, Inc., 985 F.3d 1180 (9th Cir. 2021).
[4] Bondali v. Yum! Brands, Inc., 620 F. App’x 483 (6th Cir. 2015).