In late October, I participated in a panel discussion at the Association of Corporate Counsel Conference 2011 in Denver, Colorado—the topic was Protecting Your Company from WikiLeaking. A portion of my presentation focused on ways in which corporations can develop a repeatable process to identify where sensitive data should and should not be.
I became particularly interested in partaking in the panel discussion on WikiLeaks, not only because it is a timely topic, but also because it encompasses aspects of information governance, privacy and security. WikiLeaks recently announced it was going to temporarily cease operations to raise money to finance the website. However, the issues at the heart of the WikiLeaks discussion, such as security and data breaches, continue to grow in scope and severity.
The concern from the senators is that investors are having difficulty evaluating cybersecurity risks faced by organizations and that corporations are not making sufficient disclosures as to such information in their public filings. According to the SEC in issuing the guidelines, "We have observed an increased level of attention focused on cyberattacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption." The guidelines lay the groundwork for future shareholder suits based on failure to disclose such attacks.
The guidelines come on the heels of a number of recent high-profile, large-scale data security breaches involving Citicorp, Sony, NBC and others – many of which have affected organizations around the world. A catalyst for the regulations is found in the perceived failure of many organizations to report such breaches in a timely manner, or to take affirmative practical steps to address and mitigate the risks of a significant breach. To address any future disclosure failures, the SEC released the guidelines ordering companies to reveal the details of their data security breaches and steps taken to mitigate such risks.
The SEC indicated that in evaluating the risks associated with cyber incidents and determining whether those incidents should be reported, organizations should consider:
- Prior cyber incidents and the severity and frequency of those incidents
- The probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption
- The adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware
Rather than exposing new obligations for organizations, the SEC guidance highlights what company executives already knew about their obligations to report cyber incidents but may not have fully appreciated. The true lynch pin for every organization will be the determination of materiality and making the decision on which breaches get reported and which do not.