New Cyber Security Disclosure Guidance from the SEC

by Vince Crisler

Recent guidance from the SEC establishes new responsibilities for corporations. Public companies are expected to disclose all cyber security risks and cyber incidents that a reasonable investor would consider important in making an investment decision or if the information would significantly alter the total mix of information made available.

Excerpt:

Recent guidance from the Securities and Exchange Commission's ("SEC") establishes new responsibilities for corporations. Public companies are expected to disclose all cyber security risks and cyber incidents that a reasonable investor would consider important in making an investment decision or if the information would significantly alter the total mix of information made available. Corporate counsel, directors, senior management, and information security professionals should reassess and evaluate corporate disclosure practices with this guidance in mind. Public corporations must be prepared to report cyber incidents within days after their occurrence.

Cyber security presents an enormous challenge to corporate counsel, directors, officers, and information security professionals. Corporations are constantly defending themselves against attacks from hackers and malicious software. Attacks may result in disruptions to corporate networks and the compromise of trade secrets, intellectual property, and financial and confidential data. Millions of dollars are spent to prevent and mitigate these attacks and to repair the resulting tangible and intangible damage to corporations. Understandably, investors are enormously concerned about the risks, costs, and liabilities associated with cyber security. Remediation costs, business interruption, security costs, lost revenues, litigation costs, and reputational damage can weigh heavily on corporate earnings and adversely affect the price of their stock.

Before October 2011, the SEC guidance was ambiguous concerning the disclosure of the risks associated with cyber security and the threats posed by hackers and malicious software. Nonetheless, there was a growing trend among leading technology companies to include cyber security risks and threats in their disclosures. Microsoft warned investors that security vulnerabilities in their infrastructure could lead to the theft of intellectual property, reduced revenues, liability claims, or competitive harm. The company disclosed the risk of attacks to their networks and data centers and the threat of a coordinated denial of service attack by hackers. Microsoft also discussed the resources devoted to protecting their networks and its strategy to adopt new technologies and systems to deter and defend against attacks. Similarly, in 2010, Google unexpectedly announced an attack targeting its e-mail system. Google's disclosure released details of the attack and the findings of their internal investigation. The company informed investors about the risk to Google's intellectual property and the company's strategy to secure its networks against other attacks. These disclosures created a baseline for what the SEC has come to expect from public companies.

Access the full version of "New Cyber Security Disclosure Guidance from the SEC" with your lexis.com ID. Additional fees may be incurred.

If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.

Lexis.com subscribers can access the complete set of Emerging Issues Analyses for Cyber & E-Commerce Law and the Cyber & E-Commerce Area of law page.

For more information about LexisNexis products and solutions connect with us through our corporate site.

Vince Crisler joined Zeichner Risk Analytics, LLC in April 2009 as the Senior Director, Cyber Initiative Programs. Prior to accepting this position, Vince served in two different leadership roles at the Executive Office of the President (EOP). Most recently, he served as the Director of Customer Advocacy and was responsible for standing up a new customer-focused directorate in the Office of the Chief Information Officer using Customer Relationship Management principles. Additionally, he served as the Director of Information Assurance and led a significant modernization program overhauling IT Security to include the creation of the first-ever 24x7x365 Security Operations Center for the EOP. His efforts included significant work with the Department of Homeland Security, the National Security Counsel, the Homeland Security Counsel, the National Security Agency and the Defense Information Systems Agency.

Prior to joining the EOP, Vince was an Officer in the United States Air Force and served in the White House Communications Agency, the National Military Command Center in the Pentagon and Ramstein Air Base in Germany. Vince graduated from The Ohio State University with a degree in Computer and Information Science.

Information referenced herein is provided for educational purposes only. For legal advice applicable to the facts of your particular situation, you should obtain the services of a qualified attorney licensed to practice law in your state.

For more information about LexisNexis products and solutions connect with us through our corporate site.