SEC issues guidance on cybersecurity disclosure

Agency may be setting the stage for enforcement actions

Whether they’re in banking, retail or the defense industry, companies from a huge array of sectors face a diverse array of cybersecurity risks every day from parties that seek to steal information or intellectual property to disrupt company operations or corrupt data.

An April 2011 attack on Sony’s PlayStation Network compromised personal customer data from more than 100 million accounts, forcing the network to shut down for a month. The Goldman Sachs Group Inc. quickly realized it was a victim in 2009 when a computer programmer on his last day of employment with the company stole proprietary software to shop it to his new employer. In January 2010, Google Inc. said it was the victim of attackers seeking information on Chinese human rights activists, in an attack that also targeted 20 other companies across various industries. And participants in the amorphous hacking group Anonymous targeted a string of corporate websites in 2010 and 2011 with distributed denial of service (DDoS) attacks, which overwhelm networks and crash systems.

Urgent Challenge

A group of five U.S. senators, including John Rockefeller, chairman of the Commerce, Science and Transportation Committee, sent a letter to SEC Chairman Mary Schapiro in May 2011 requesting such interpretive guidance to address investor confusion and reporting inconsistencies by clarifying how existing disclosure requirements pertain to information security risk. They cited a 2009 survey by insurance underwriter Hiscox, which found that 38 percent of Fortune 500 companies made a “significant oversight” by failing to mention privacy or data security exposures in their public filings.

The other disclosure obligations the SEC outlined covered MD&A (Management’s Discussion and Analysis of financial condition), Description of Business (if a cyber incident materially impacts the viability of, for example, a new product), Legal Proceedings (as they relate to a cyber incident) and Financial Statement Disclosures (if a cyber incident has an impact on financial statements).

The guidance recognizes that one of the challenges for companies that disclose will be to balance the need for detailed disclosures with some measure of secrecy, so that they avoid laying out a road map for potential attackers. The SEC emphasized that it won’t require disclosures that could compromise cybersecurity efforts.

Associate Editor

Melissa Maleske

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.