The U.S. Securities and Exchange Commission (SEC) released guidance to public corporations on Thursday, urging better disclosure when it comes to security incidents, and investment risks. The recommendations originated from the Corporation Finance division of the SEC, which looks after investors and ensures they’re properly informed of all investment related details.
While there are no disclosure requirements on the books that mention cybersecurity, registered companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” the SEC’s recommendations explain. [Source]
“In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
Stripping out some of the heavy wording, the SEC is essentially telling businesses that they should evaluate the risks when it comes to unauthorized access targeting databases and the information they contain; unauthorized access to networks or systems; authorized access that results in a loss of assets and / or information, and DDoS attacks. Once that is done, they should be prepared to disclose this information if the weighted risks could impact investments.
“We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws,” the SEC states.
Be that as it may, the most important part of the SEC’s recommendations is that businesses “must provide certain disclosures of losses that are at least reasonably possible” both during and after a breach, in order to better inform investors or potential investors.
There is an upside, but more of a delay process really, that public companies can use to limit some shame and embarrassment.
According to the SEC, if the security incident is discovered after the balance sheet date, but before the issuance of financial statements, “...registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.”
“If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.”
In a statement, Senator John Rockefeller, who voiced concerns earlier in the year that publically traded companies were not disclosing security breaches adequately enough, said the SEC’s move changes everything.
“Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”
One would think that this will force public companies to tighten security controls, but that isn’t going to happen any time soon. However, the fear of seeing the financial impact of a breach hitting the headlines might spur some executives to pressure IT teams to do more with less, as a business can’t spend money that isn’t there.