Pressure Rising to Disclose Security Risks
Regulators in the United States and abroad want to know more about what publicly listed companies are doing to prevent and detect data breaches.
June 01, 2013
Information security disclosures by publicly listed companies in U.S. Securities and Exchange Commission (SEC) filings more than doubled in the past six months, according to an analysis by Intelligize. The New York-based analysis firm found more than 800 references to cybersecurity in SEC filings during that period, a 106 percent increase, The Wall Street Journal reports.
Intelligize attributes the increase to informal SEC guidance issued in October 2011 that calls for voluntary information security disclosures by U.S.-listed companies. The guidance directs listed firms to "review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents." Specifically, the guidance advises firms to:
- Disclose such risk if it is among the most significant factors that could make an investment speculative or risky — considering the frequency and severity of previous incidents.
- Address cybersecurity incidents and risks in management's discussion and analysis of financial condition and results of operations if their costs or consequences represent a potential effect on operating results, liquidity, or financial condition.
- Disclose in its description of business any incidents that materially affect the company's products, services, customer or supplier relationships, or competitive conditions.
- Disclose information about litigation involving a cyber incident.
- Report on the effectiveness of disclosure controls and procedures.
In addition, the SEC guidance notes that companies can report on the costs of preventing data incidents as well as the damages, losses, and impact on financial statements incurred during or after such events. Several U.S. accounting standards provide guidance for such disclosures, the SEC points out.
Securities regulators outside the United States also have been paying greater attention to cybersecurity incidents, risks, and protective measures in recent years, as the number and impact of such events have increased. For example, the Australian federal government is considering a proposal to require companies to disclose data breaches that lead to the theft or publication of personal information, according to Financial Review. The Ponemon Institute, a Traverse City, Mich. security research firm, estimates that such incidents cost Australian firms an average of AU $2.7 million last year. That has prompted the Australian Institute of Company Directors to call for directors to obtain "sufficient IT literacy to critically examine information about IT" as well as what other information they should request from executives.
Gail Pemberton, a former chief information officer and current public company director of Australia-based firms, tells Financial Review that directors often aren't aware of an organization's information security risk. "It's when it first happens that companies become really aware of the risks they're carrying and take action," she says.
Heightened board awareness may be forcing U.S. companies to be more forthcoming about their security risks, but the SEC might not be satisfied with what's being reported. The Wall Street Journal reports that SEC staff currently are reviewing whether disclosures are providing enough information about information security risks and preventive measures, citing a letter that new SEC Chairman Mary Jo White wrote to Sen. Jay Rockefeller (D-W.Va.). Rockefeller has sought greater cybersecurity disclosures from listed firms. "It's important for investors to understand whether companies are effectively addressing all forms of risk, from financial and operational to cyber," Rockefeller said in a statement.