Late last week the Securities and Exchange Commission issued new guidance informing public companies that, under certain circumstances, they may need to disclose cyber breach information, or even potential security breaches, if there is a certain level of risk of financial impact to corporate earnings.
Security and legal experts don't expect the guidance to change the status quo.
The new guidance, available here, issued late Thursday, reflects the growing reliance, and associated risks of, IT systems to business today. "For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents," the statement says.
The guidance highlights the various factors public companies must take into account specific to their businesses in order to determine what breach information needs to be publicly disclosed. "A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context," the statement says. "For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences," the SEC explained.
David Navetta, a founding partner of the Information Law Group, and Nicole Friess, an associate at the law firm, wrote in their blog, "SEC Issues Guidance Concerning Cyber Security Incident Disclosure," not to expect a wave of new public security breach disclosures from listed companies as a result of the SEC guidance. "While cyber security risk has always been a potential financial disclosure issue, and something that directors and officers need to take into account, the SEC guidance really highlights the issue and brings it to the fore. Even so, materiality is still going to a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company," they wrote.
Pete Lindstrom, research director at Spire Security, agrees. "It's not as if companies are not already expected to report a breach that is material to earnings, such as Heartland, TJX, and many others have in the past. What the SEC has done is underline that IT security risks to materiality are no different than any other types of risks and need to be considered as such," he says.
While we may not see a wave of new breach disclosures, Navetta and Friess estimate that many firms are not as prepared internally as they need to be in order to determine the potential impact of IT security breaches. "It will be interesting to see how this affects the internal corporate dynamics between CIOs and their business counter-parts. This guidance may provide additional leverage for security risk managers to obtain bigger budgets, new technology and more personnel," they wrote.