The US Security and Exchange Commission (SEC) Division of Corporation Finance late last week issued new guidance "... regarding disclosure obligations relating to cybersecurity risks and cyber incidents."
The guidance document - which says several times that it is not a requirement - states that public companies "should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky."
In determining whether the risk needs to be disclosed or not, the SEC expects the companies to:
"... take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, [public companies] should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption. In evaluating whether risk factor disclosure should be provided, [public companies] should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware."
There is more in the SEC guidance, which you can read here, but for the most part it provides general instructions to public companies on what they should disclose before and after a cyber incident. There is, as you can see above, a lot of discretion left to companies in deciding whether they think a cyber threat or incident is material or not.
One reason seems to be that the SEC is trying to walk a fine line here. On one hand it wants companies to disclose their cyber-related risks, but on the other hand, the SEC doesn't want such disclosures to be an open invitation to hack attacks on a company doing so either.
However, the SEC did put in the last paragraph of the guidance that public companies "... are required to disclose conclusions on the effectiveness of disclosure controls and procedures." In other words, if a cyber attack could negatively affect a company's "ability to record, process, summarize, and report information that is required to be disclosed" to the SEC, it better say publicly say so in its SEC filings. This is kind of a backdoor way to force companies to address publicly their cyber vulnerabilities to at least some degree.
As noted in a Washington Post article, few security analysts think the SEC guidance will change dramatically how public companies go about reporting their cyber vulnerabilities or whether they have been hacked or not. At best, it may open the door a little more for shareholders/customers to bring a lawsuit against a company that has been hacked and didn't previously disclose it was at some risk of being hacked. However, as Sony did in relation to users of its PlayStation Network, companies may just step up efforts to limit their exposure to class action lawsuits in the wake of a cyber attack.
The SEC guidance also doesn't address whether a public company needs to disclose a cyber incident of a company it is doing business with and affects it financially. For example, about two weeks ago Bank of America was telling some of its customers in Florida that "... we have learned that account information from certain Bank of America debit cards may have been compromised at an undisclosed third party location. Your debit card number may have been part of this compromise."
Customers were issued new debit cards, but BoA wasn't disclosing which establishment they had patronized that had the security compromise. In September, I received a nearly identical letter, but this time involving one my BoA credit cards. BoA wouldn't tell me who got compromised, either, other than to say it was some "major retailer." I doubt BoA's SEC filings make it clear how many of these third-party cyber incidents it experiences, their cost, or whether the bank is fully reimbursed for them.
The SEC guidance also doesn't affect US governmental organizations, which are outside its purview. However, the SEC might gain more credibility about disclosing cyber incidents if it followed its own guidelines.
As a Reuters "exclusive" story a few days after the guidance was issue noted, the SEC warned "... staffers that their personal brokerage account information may have been compromised, after it uncovered security flaws with an ethics compliance program." The SEC told employees to think about placing a fraud alert on their credit files and told them it will offer a free year of credit monitoring.
Apparently, Reuters only found out about the incident when an SEC employee showed a reporter the SEC letter to its employees warning of the data compromise.
Looks like a case of "do as I say, not as I do."
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.