Recent guidance from the U.S. Securities and Exchange Commission on disclosure of cybersecurity risks and incidents puts the spotlight squarely on enterprise cybersecurity and could help security professionals at publicly traded companies win funding for projects, experts say.
Released in October, the guidance from the SEC’s Division of Corporate Finance makes it clear that companies must factor cybersecurity risks and incidents into their SEC disclosures. Companies should disclose “the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the guidelines.
In order to determine whether disclosure is required, the SEC says companies should take into account a number of factors, including prior incidents, the potential costs and consequences of data theft or operational disruption resulting from a breach, and the adequacy of preventative actions to reduce risk. The SEC advises companies to avoid generic “boilerplate” disclosure, but notes that detailed disclosures that could compromise a company’s cybersecurity efforts are not required under federal securities law.
“Companies will have to ask themselves, ‘Are we looking at cybersecurity and cybersecurity incidents in a way that relates to how they might impact us financially?” says David Navetta, a founding partner of the Information Law Group, which focuses on data security and privacy, among other issues. “It raises the profile of the issue within organizations, and it probably requires a look at existing processes and procedures to make sure companies are doing a risk assessment and doing it globally.”
The SEC guidance may give security professionals more leverage to do more risk assessments and other security initiatives, he says. “In economies like this, it’s sometimes hard to get budget, personnel and technology,” Navetta adds. “When the SEC makes a proclamation like this and highlights the importance of cybersecurity, there’s a different story for CISOs and security professionals to tell.”
Jonathan Gossels, president and CEO of security consulting firm SystemExperts, agrees that the SEC guidance could help give security professionals leverage in the enterprise. Overall, the guidelines make sense in an increasingly digital world.
“In this day and age, when everything is run by computers and everything is networked, how can you not consider [cybersecurity] as every other business risk you have to disclose?” Gossels asks.
However, he and other experts note the guidance is just that – guidance. “It doesn’t create any new obligations,” says Francesca Wolf, legal counsel and compliance officer at the Information Security, Forensics and Data Breach practice of Kroll, a risk consulting firm. “It’s focused around existing obligations and how cybersecurity fits into those existing requirements.”
Even though the guidance isn’t a binding rule, it’s something companies definitely need to consider, she says. “Plaintiffs’ attorney and enforcement agencies will be looking at this and using this as a standard you should be meeting. If you don’t, it puts you at risk.”
Still, a problem with the guidance has to do with 20/20 hindsight, Wolf says. After a breach, the material risk is clear, but before a company actually experiences a breach, it’s difficult to determine how great the risk is, she says.
Companies should conduct comprehensive risk assessments, Wolf says, but many don’t have a robust enough in-house system. She expects more organizations will turn to outside experts to perform those assessments, adding that having an outside opinion can help companies in the event of a breach and liability claims. Wolf also expects more companies to investigate cyber liability insurance. “Because there is so much financial risk from having a breach, companies will be looking for ways to mitigate that risk,” she says.
The SEC disclosure guidelines come in a year that’s been one of the worst for breaches, including the attacks on RSA, Lockheed Martin, Sony, and Epsilon.
In May, Sen. John D. Rockefeller (D-W.Va.), chairman of the Commerce, Science and Transportation Committee, wrote a letter to the SEC chairman that asked the SEC to clarify corporate disclosure requirements for cybersecurity breaches.
“This guidance fundamentally changes the way companies will address cybersecurity in the 21st century,” Rockefeller said in a prepared statement. “For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them. Intellectual property worth billions of dollars has been stolen by cybercriminals and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”
Marcia Savage is editor of Information Security. Send comments on this article to firstname.lastname@example.org
Dig Deeper on Risk assessments, metrics and frameworks
Learning from 2018 cybersecurity incidents: Perform due diligence
FAQ: How is digitization influencing SEC compliance priorities?By: Caron Carlson
SEC cybersecurity disclosure rules get a guidance update
Undisclosed SEC breach may have led to illegal stock trades