Monday, May 14, 2012

SEC Guidance Is a Really Big Deal

In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal.

Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference.

  1. First, lawyers who read the language in the SEC guidance treated it as a "stop whatever you're doing and read this" moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidance.

    Clients bombarded insurance firms asking what language they should use in their SEC disclosure documents. They asked "what are other companies saying? What should we say?" The firms noted similar boiler plate shared among clients, most of which insufficiently met the SEC's requirements.

    One lawyer I spoke with said she expects the SEC to give publicly traded firms a "one year pass" before bringing enforcement actions against them for insufficiently outlining digital risk, pre- and post-breach.

  2. Second, the SEC language will encourage shareholder lawsuits against companies by disgruntled parties who believe boards are not disclosing risks and actual breach details to investors. This will probably not be the primary cause for a suit but it will likely be one of other factors a shareholder action uses to show that a board is not fulfilling their duties to investors.
  3. Third, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff to organizations like the SEC Office of the Whistleblower. (That is a real organization!) In the seven weeks beginning with this new office's launch in August 2011, parties reported 334 tips from 37 states and 11 countries, with successful enforcement actions in up to 30% of cases.

    Although it doesn't appear that this new office has paid any whisteblowers yet, it is apparently gearing up to do so. Imagine a case where security staff believes that management is not treating a breach as the staff thinks it should be treated, and decides to report the incident to the SEC -- with the possibility of a payout waiting!

Right now Congress doesn't seem to think that the SEC rules are working. Joe Menn reported in Hacked companies still not telling investors the following:

At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.

Top U.S. cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission issued a lengthy "guidance" document on October 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.

But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.

Now Senator Rockefeller is taking a closer look as reported by Jennifer Martinez of Politico this week:

Senate Commerce Chairman Jay Rockefeller thinks the SEC needs to ensure hacked companies are adequately informing their investors about when they suffer a security breach or cybersecurity risk that could jeopardize their financial standing.

The West Virginia Democrat wants the full commission to issue guidance for companies — right now they only have staff-level instructions — on when they have to report cyber breaches or threats and what steps they’re taking to minimize the risks.

“It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said in a statement to POLITICO.

Rockefeller will soon introduce an amendment that calls on the SEC to issue interpretive guidance on when companies must disclose cybersecurity risks and intrusions. Staffers for the Commerce Committee are finalizing the amendment and aim to introduce it before Sen. Joe Lieberman’s (I-Conn.) cybersecurity bill goes to the floor.

This is the sort of activity that I think is going to mark a sea change in digital security over the coming years. I don't expect engineering or technical developments to have anywhere near the same level of impact as issues that involve legislators, lawyers, insurers, and financiers. Stay tuned!

4 comments:

nickg said...

I suspect SarbOx will also force these rules to many private companies as well. Perhaps not legally but the public company might just demand it anyways to limit liability.

Anonymous said...

If I as a security admin notice an issue that ends up not being reported, I can potentially turn them in and get money? As security, I probably have the knowledge and/or skills to accomplish said breaches, or at least lead others to them. Sounds like a new way to put on your black hat. (Assuming you're an 'eligible individual' who doesn't get caught...)

Just one way of looking at it. :)

-LonerVamp

Anonymous said...

IMO, this guidance is quite simply a reiteration of the uncommon sense that a public company is obligated to disclose the “whole truth” … to the owners of sensitive information for which the public company has custodianship and to the consumers of services related to consumption/storage/transaction/etc. of said sensitive information. Public companies – be responsible or you’ll be held accountable – don’t act like a nameless/faceless entity or your names/faces will probably be disclosed in a less than pleasant enforcement action.

Anonymous said...

The SEC guidance certainly looks to have potential. I also remember you expressing interest recently in cyber insurance. Harvard has a good wiki (sponsored by Minerva) containing good resources on the economics of cyber security (including insurance) - http://cyber.law.harvard.edu/cybersecurity/Insurance

In addition - Security and Human Behavior (SHB 2012) just finished. It normally generates some highly thought-provoking material - http://www.schneier.com/blog/archives/2012/06/security_and_hu_1.html

Best wishes,
@Dave_Clemente