When the U.S. Securities and Exchange Commission (SEC) talks, people listen; and when the topic turns to cybersecurity, people are obliged to act. Estimates of the economic costs of commercial cyber-espionage to the United States top $100 billion annually. Security breaches affecting companies such as Sony, Target, Anthem, as well as various US government agencies, seem to make headlines each week. Yet, with all the attention paid to cybersecurity, organizations react to and publicly disclose incidents in remarkably inconsistent ways. The SEC’s Division of Corporation Finance (DoCF) continuously assesses public companies’ disclosure processes, and it provides guidance designed to increase corporate transparency and information around cybersecurity. The SEC’s growing attention to cybersecurity disclosure should motivate the external audit community (e.g. PwC, EY, Deloitte, KPMG, etc.), and the entities they audit, to raise their game by ensuring that technology controls get the attention they deserve.
The mission of the SEC’s DoCF is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. It seeks to ensure that investors are provided with material information in order to make informed investment decisions. Current SEC guidance to companies on cybersecurity disclosure dates to October 2011, and the growing frequency and magnitude of cyber-incidents has caused some political leaders to urge the SEC to do even more.
According to SEC Chair Mary Jo White, “The October 2011 guidance assists public companies in framing cybersecurity disclosures in light of their own facts and circumstances. The guidance states that cybersecurity risks, along with other business risks, are among the factors a public company should consider in evaluating its disclosure. An evaluation of cybersecurity risks requires a public company to review its cybersecurity practices and how those practices are maintained. Companies should consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and the related risks to that security, including threatened attacks of which they are aware.”
On April 9, 2013, Senator John D. Rockefeller IV (D-WV), in his role as Chairman of the Committee on Commerce, Science and Technology, wrote to Chair White, urging her to further strengthen disclosure requirements. He was “concerned about inconsistencies in disclosures, investor confusion, and the fact that many corporate leaders did not fully recognize the relationship between their companies’ cybersecurity measures and financial success.”
On June 17, 2015, Congressmen James Langevin (D-RI) and James Himes (D-CT) wrote Chair White on the same topic, and reinforced principles from the President’s Council of Advisors on Science and Technology (PCAST) November 2013 report, “Immediate Opportunities for Strengthening the Nation’s Cybersecurity.” They were prescriptive in the sort of information they thought companies (so-called SEC registrants) should disclose in their annual 10-K reports, suggesting that companies reveal:
· How the registrant determines the best cybersecurity practices for its industry;
· The registrant's present state of conformity to those practices;
· The registrant's plan and schedule for achieving full conformity;
· How the registrant is ensuring that its best practices are improved and updated in response to evolving threats; and,
· The frequency with which the registrant's CEO, CFO, and Board of Directors are briefed on cyber/information security incidents.
Langevin and Himes make some great points. “Materiality as it relates to cyber risk is particularly difficult to assess both because we lack sufficient data from past cyber attacks and because the effects are often not distinguishable from the many confounding variables surrounding a company's earnings.” Undaunted, they add: “What gets measured gets managed. Companies must invest in practices and protocols to continuously identify and mitigate their exposure to cyber risk by fully understanding their own vulnerabilities and the threat actors. Protecting intellectual property, trade secrets, and customer information must be a priority for government, corporations and consumers alike - it should be viewed not as a cost, but as an investment. A robust, secure supply chain, be it for physical goods or the transmission and storage of information, is critical for businesses and is in the interest of all parties.”
On July 22, 2015, Chair White responded to the Congressmen. She said that the staff has observed an increase in cybersecurity disclosures by public companies since the issuance of the 2011 guidance. While she didn’t commit to the specific actions suggested by the Congressmen, she said that the SEC will continue to assess whether there is a current need to update or revise the guidance and that they have taken a number of measures to address the cybersecurity issue, especially within the investment management community. This story will evolve, and we could even see related legislation emerge as the SEC considers the adequacy of their guidance in the face of a growing cybersecurity menace.
Readers of this blog will recall Why CFOs Must Own Cybersecurity. Sarbanes-Oxley, informed by the COSO internal control framework’s new emphasis on technology controls, is reason enough for CFOs to ensure that they drive their organization to higher standards of IT housekeeping. IT Security professionals play a key role in all of this, but cybersecurity issues, and the actions needed to address them, cut across organizations and now get visibility in the boardroom. The SEC has been far from silent in asking companies, through their CFO comment letters, about their cybersecurity practices, but It seems clear that the SEC will go far deeper in this regard.
Will the response to your SEC comment letter and the cybersecurity disclosure in your public filings put investors at ease? What are you doing to protect your company’s critical data assets? Considering the stakes involved, why would management want to have to play catch-up on cybersecurity disclosure requirements handed down to them by regulatory agencies? Companies should want to be ahead of the game, not only for compliance purposes, but because it’s smart and prudent business.