The Tech Herald

SEC pushes for disclosure of business risk profiles and attack details

by Steve Ragan - Oct 14 2011, 09:30

The U.S. Securities and Exchange Commission (SEC) released guidance to public corporations on Thursday, urging better disclosure when it comes to security incidents, and investment risks. The recommendations originated from the Corporation Finance division of the SEC, which looks after investors and ensures they’re properly informed of all investment related details.

While there are no disclosure requirements on the books that mention cybersecurity, registered companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” the SEC’s recommendations explain. [Source]

“In determining whether risk factor disclosure is required, we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents. As part of this evaluation, registrants should consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”

Stripping out some of the heavy wording, the SEC is essentially telling businesses that they should evaluate the risks when it comes to unauthorized access targeting databases and the information they contain; unauthorized access to networks or systems; authorized access that results in a loss of assets and / or information, and DDoS attacks. Once that is done, they should be prepared to disclose this information if the weighted risks could impact investments.

“We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws,” the SEC states.

Be that as it may, the most important part of the SEC’s recommendations is that businesses “must provide certain disclosures of losses that are at least reasonably possible” both during and after a breach, in order to better inform investors or potential investors.

There is an upside, but more of a delay process really, that public companies can use to limit some shame and embarrassment.

According to the SEC, if the security incident is discovered after the balance sheet date, but before the issuance of financial statements, “...registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.”

“If the incident constitutes a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect, or a statement that such an estimate cannot be made.”

In a statement, Senator John Rockefeller, who voiced concerns earlier in the year that publically traded companies were not disclosing security breaches adequately enough, said the SEC’s move changes everything. 

“Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”

One would think that this will force public companies to tighten security controls, but that isn’t going to happen any time soon. However, the fear of seeing the financial impact of a breach hitting the headlines might spur some executives to pressure IT teams to do more with less, as a business can’t spend money that isn’t there.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...