That’s right — the Securities and Exchange Commission has determined that risks associated with cybersecurity can be material enough to require that they be included in companies’ disclosures. The SEC issued a disclosure guidance on October 13, 2011 to alert companies that these risks may fall within their existing disclosure requirements.
In other words, what the SEC was saying, in its simplest form, is that companies’ senior management needs to wake up and take cybersecurity risks seriously. I agree.
I would like to thank my friend Jim Brashear (@JFBrashear) for alerting me about this. Jim is General Counsel for Zix Corporation which is the standard bearer for email encryption. Jim knows far more about this disclosure issue than I could ever hope to know. In fact, he foresaw this and last June he wrote a blog on TheCorporateCounsel.net that is entitled Senators Ask SEC for Guidance on Information Security Risk Disclosure. I would encourage you to read the post. And, if you ever get a chance to see one of Jim’s PowerPoint presentations you owe it to yourself to take it — trust me, you will learn and be entertained! Thanks Jim!
- SEC Mandates Cyber Incident Reporting (informationweek.com)
- SEC Pushes For Disclosure Of Business Risk Profiles And Attack Details (teamshatter.com)
- SEC Issues New Cybersecurity Guidelines for Publicly Traded Companies (theneteconomy.wordpress.com)
- SEC issues guidance telling public companies when to disclose cyber attacks (sec.gov)
- SEC orders disclosure of ‘potential’ security breaches (news.cnet.com)