Data Security Breaches: The Voluntary Disclosure Debacle for Listed Companies

How do listed companies err on the side of caution without treating every information leak a disclosure of price sensitive information...

With advancements in artificial intelligence, algorithmic analysis of seemingly unconnected segments of data is often able to yield inferences that are greater than the sum of its parts. This has resulted in some unique challenges when dealing with cyber security incidents relating to listed companies.

After a recent amendment to the Securities and Exchange Board of India (Prohibition of Insider Trading) Regulations, 2015 (PIT Regulations) every listed co mpany is required to formulate policies and procedures for inquiry in case of leak or suspected leak of UPSI. This shifts the onus onto the listed company to determine whether there has been a leak, suspected or real, of UPSI and report it to the Securities and Exchange Board of India (SEBI).

The second challenge arises from the fact that while leaked information about a listed company may not prima facie appear to be unpublished, price sensitive information (UPSI), when algorithmically analyzed in conjunction with other information in the public domain, may yield inferences that would deem such information to be UPSI. With listed companies increasingly engaging with customers through official social media handles, any positive or negative response to a question about undisclosed quarterly results may be considered a leak of UPSI. The question then, is how listed companies may practically err on the side of caution, without escalating every information leak to be UPSI.

Since the PIT Regulations do not specify that every leak of data which could be price sensitive needs to be disclosed, there is no 'safe harbour' provided for companies that proactively make such disclosures. Therefore, the incentive for companies to make disclosures to stock exchanges and disseminate information that could be construed as price sensitive, is limited to correcting information asymmetry with a view to preventing those who may be able to draw price sensitive inferences from leaked data.

The legislative intent of the PIT Regulations is apparent from the report of the high level committee to review the SEBI (Prohibition of Insider Trading) Regulations, 1992, under the chairmanship of N. K. Sodhi (Sodhi Committee Report). The Sodhi Committee Report intended that there should be prompt dissemination of material information that gets disclosed selectively, inadvertently, or otherwise, to ensure that such information is made generally available. Accordingly, to adhere to the legislative intent and mitigate any liability for a delayed disclosure, it is the prerogative of the listed entity to ascertain whether the data may be construed as UPSI in conjunction with other data in the public domain, and "promptly inform the stock exchange(s) of all information having a bearing on the performance/operation of the listed entity and price sensitive information" as is required by the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (LODR).

To comply in both letter and spirit with the aforesaid requirement to correct information asymmetry contained in the 'Principles of Fair Disclosure for purposes of Code of Practices and Procedures for Fair Disclosure of Material Information' of the PIT Regulations, it is important for listed entities to formulate a policy for online engagement with customers and a defined protocol to assess whether data that has been leaked can be coupled with other data already in the public domain to draw inferences that would have the effect of a leakage of UPSI.

There are broadly two principle-based approaches which can be followed by listed entities to correct information asymmetry when faced with a data breach. One approach would be to disclose the leakage or inadvertent disclosure of any information, however insignificant to the stock exchanges with a view to correcting the information asymmetry caused by selective disclosure. This prevents retail investors

from being prejudiced by a leakage or inadvertent disclosure resulting in price sensitive inferences being available only to those in possession of artificial intelligence / algorithmic analysis. The other approach, which

is materiality based, is to formulate a policy for the classification of information that if leaked, could impact price discovery, and where such information is leaked, inform the stock exchanges and request for the suspension in trading till the extent of the breach has been determined, or make a public announcement to ensure dissemination of the information into the public domain.

Presently, there are mandatory reporting obligations under Indian laws only for certain categories of 'cyber security incidents'. These are set out under the Information

Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ("CERT Rules") which specify certain 'cyber security incidents' which are required to be mandatorily disclosed to the Indian Computer Emergency Response Team ("CERT") as soon as possible. These include incidents such as (i) targeted scanning/probing of critical networks/systems, (ii) compromise of critical systems/information, (iii) unauthorized access of IT systems/data, (iv) defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites etc., (v) malicious code attacks such as spreading of virus/worm/trojan/botnets/spyware, (vi) attacks on server such as

database, mail DNS and network devices such as routers, (vi) identity theft spoofing and phishing attacks, (vii)

denial of service and distributed denial of service attacks, (viii) attacks on critical infrastructure, supervisory control and data acquisition systems and wireless networks, attacks on application such as e-governance, e-commerce

etc.

As is apparent from the above, there is only a limited number of instances where a cyber-security incident is required to be disclosed only to the CERT and there is no specific requirement for such disclosures to be made to the stock exchanges. Insofar as reporting of cyber security incidents is concerned, publicly available information indicates that enforcement of regulatory reporting is very limited. If SEBI offers companies making such disclosure a safe harbour protection from penalties under the PIT Regulations, it will go a long way in incentivizing prompt disclosures of data leakages which could contain components which pieced together may constitute UPSI.

As the present disclosure requirements stem from a conjunct reading of the LODR and PIT Regulations and allows for discretion in interpretations, listed entities are left to determine for themselves where disclosures of data leaks need to be reported by an application of a dual test of materiality thresholds as well as whether the information is UPSI. While companies would do well to disclose every leak so as to correct the information asymmetry that may be caused, it would be impractical for the regulator to mandate that each data leak should be reported. By providing companies with the discretion not to disclose such inadvertent disclosures leaks of data, mitigation of regulatory liability rather than being diminished by self-regulation, is predicated on an arguable yardstick of materiality.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.