That’s right — the Securities and Exchange Commission has determined that risks associated with cybersecurity can be material enough to require that they be included in companies’ disclosures. The SEC issued a disclosure guidance on October 13, 2011 to alert companies that these risks may fall within their existing disclosure requirements.
In other words, what the SEC was saying, in its simplest form, is that companies’ senior management needs to wake up and take cybersecurity risks seriously. I agree.
I would like to thank my friend Jim Brashear (@JFBrashear) for alerting me about this. Jim is General Counsel for Zix Corporation which is the standard bearer for email encryption. Jim knows far more about this disclosure issue than I could ever hope to know. In fact, he foresaw this and last June he wrote a blog on TheCorporateCounsel.net that is entitled Senators Ask SEC for Guidance on Information Security Risk Disclosure. I would encourage you to read the post. And, if you ever get a chance to see one of Jim’s PowerPoint presentations you owe it to yourself to take it — trust me, you will learn and be entertained! Thanks Jim!
Related articles
- SEC Mandates Cyber Incident Reporting (informationweek.com)
- SEC Pushes For Disclosure Of Business Risk Profiles And Attack Details (teamshatter.com)
- SEC Issues New Cybersecurity Guidelines for Publicly Traded Companies (theneteconomy.wordpress.com)
- SEC issues guidance telling public companies when to disclose cyber attacks (sec.gov)
- SEC orders disclosure of ‘potential’ security breaches (news.cnet.com)
An interesting sidelight to this (and to your “Insiders As The Biggest Security Risk” post) is access to key data via peripheral systems. One system I worked on, a credit card system, allowed our users, including at the companies whose credit cards we processed, access to some parts of our databases for end-user informational reports – traffic levels at various stores, month-to-month sales and charges processed, and so forth. The sub-system that allowed the access to report information had very weak security, with passwords shared among numerous people. However, there were a few user sign-ins that were specially set up to allow access to our main data, including cardholder information like SSNs and credit ratings, for programmers to test reports. One of our programmers passed his password around to a couple users while a security update was going on, temporarily opening confidential data to ANY of our customers! No harm was done, and no harm was intended, but internal security was DEFINITELY beefed up after that incident. If that confidential data had gotten out, we would not only have lost cardholders, but the companies for whom we were doing their credit card processing. In a multi million, bordering on billion, dollar business, that is a painful loss, to say the least!