Saturday, November 19, 2011

SEC Guidance Emphasizes Materiality for Cyber Incidents

Senator Jay Rockefeller and Secretary Michael Chertoff wrote the best article I've seen yet on the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC last month in their article A new line of defense in cybersecurity, with help from the SEC:

Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility...

Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.

Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years.

This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as the significant loss of a company’s intellectual property — will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.

The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among other things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how the value of intellectual property is measured; whether appropriate defenses are in place around that property; and whether risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage.
(emphasis added)

Make no mistake: this is a big deal. Until now "disclosure" laws have aimed at protecting consumers by making their PII the important aspect of a digital incident.

With the SEC guidance, we have a new audience for "disclosure" -- shareholders. The SEC is telling publicly traded companies that they have to disclose material cyber security incidents. Now the battle to define materiality will begin.

2 comments:

Alex said...

Richard,

Great post! Security risk is material risk. Hopefully the required transparency will help some public companies reconsider poor funding and resourcing decisions with regard to their defense.

-Alex

Anonymous said...

I wonder about the possiblity that publically traded infosec companies face double jeopardy, in that reporting a potential material breach they may also cast some doubt about effectiveness of product or services.