Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference.
- First, lawyers who read the language in the SEC guidance treated it as a "stop whatever you're doing and read this" moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidance.
Clients bombarded insurance firms asking what language they should use in their SEC disclosure documents. They asked "what are other companies saying? What should we say?" The firms noted similar boiler plate shared among clients, most of which insufficiently met the SEC's requirements.
One lawyer I spoke with said she expects the SEC to give publicly traded firms a "one year pass" before bringing enforcement actions against them for insufficiently outlining digital risk, pre- and post-breach.
- Second, the SEC language will encourage shareholder lawsuits against companies by disgruntled parties who believe boards are not disclosing risks and actual breach details to investors. This will probably not be the primary cause for a suit but it will likely be one of other factors a shareholder action uses to show that a board is not fulfilling their duties to investors.
- Third, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff to organizations like the SEC Office of the Whistleblower. (That is a real organization!) In the seven weeks beginning with this new office's launch in August 2011, parties reported 334 tips from 37 states and 11 countries, with successful enforcement actions in up to 30% of cases.
Although it doesn't appear that this new office has paid any whisteblowers yet, it is apparently gearing up to do so. Imagine a case where security staff believes that management is not treating a breach as the staff thinks it should be treated, and decides to report the incident to the SEC -- with the possibility of a payout waiting!
At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.
Top U.S. cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission issued a lengthy "guidance" document on October 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.
But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.
Now Senator Rockefeller is taking a closer look as reported by Jennifer Martinez of Politico this week:
Senate Commerce Chairman Jay Rockefeller thinks the SEC needs to ensure hacked companies are adequately informing their investors about when they suffer a security breach or cybersecurity risk that could jeopardize their financial standing.
The West Virginia Democrat wants the full commission to issue guidance for companies — right now they only have staff-level instructions — on when they have to report cyber breaches or threats and what steps they’re taking to minimize the risks.
“It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said in a statement to POLITICO.
Rockefeller will soon introduce an amendment that calls on the SEC to issue interpretive guidance on when companies must disclose cybersecurity risks and intrusions. Staffers for the Commerce Committee are finalizing the amendment and aim to introduce it before Sen. Joe Lieberman’s (I-Conn.) cybersecurity bill goes to the floor.
This is the sort of activity that I think is going to mark a sea change in digital security over the coming years. I don't expect engineering or technical developments to have anywhere near the same level of impact as issues that involve legislators, lawyers, insurers, and financiers. Stay tuned!