The US Securities and Exchange Commission (SEC) issued guidelines on when publicly-traded companies should disclose significant cyber thefts and attacks. http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm#_edn3. The SEC guidelines require disclosure “If it is reasonably likely that the attack will lead to reduced revenues, an increase in cybersecurity protection costs, including [costs] related to litigation, … if material. Alternatively, if the attack did not result in the loss of intellectual property, but it prompted the registrant to materially increase its cybersecurity protection expenditures, the registrant should note those increased expenditures.” The disclosure should not be boilerplate, but provide information on (a) the aspect of the business affected by cybersecurity, (b) what cybersecurity functions have been outsourced, (c) description of the incidents, (d) risks that may remain undetected, and (e) relevant insurance coverage. Disclose of conclusions on the effectiveness of cybersecurity controls and procedures also may be required to the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings.
This move by the SEC is not a surprise, but was slow in coming. Brian Wright and I wrote about possible SEC actions relating to the failure to disclose security issues back in September 2006. Sarbanes-Oxley & Internal Controls: The Not So Hidden Implications for Information Technology and Information Security – September 2006 [pdf] The issuance of these “guidelines” by the SEC’s Division of Corporate Finance will make it easier for the SEC to bring enforcement actions if a company does not make these disclosures. While I do not see the number of class actions increasing because of the disclosures (plaintiffs’ counsel have learned to use the AG websites to monitor breaches), the guidelines will result in an increase in shareholder class actions where the company has not disclosed a breach in its SEC filings.
The guideline’s requirements to avoid generic and boilerplate disclosures also creates a tension with a well known maxim in data security – knowledge is power. Detailed disclosures could have the detrimental effect of undermining security. Massachusetts has certainly reached this conclusion in deciding that breach notice letters should not include details regarding the incident. http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93h/Section3. While the guidelines recognize “detailed disclosures could compromise cybersecurity efforts,” there is no guidance on where the line is drawn on the level of detail required. The obvious place to begin is the description of the incidents used in the notice letters sent to residents of states other than Massachusetts.