Home – Companies Should Take Heed of Best Practices Outlined In SEC’s Cybersecurity Disclosure Guidance, Experts Say

Companies Should Take Heed of Best Practices Outlined In SEC’s Cybersecurity Disclosure Guidance, Experts Say

Companies Should Take Heed of Best Practices Outlined in the SEC’s Cybersecurity Disclosure Guidance, Experts Say

 Although the Security and Exchange Commission’s recent Cybersecurity Disclosure Guidance is by no means a mandate, companies should take heed of its best practices before they find themselves sued for securities fraud, experts in the cyber risk field say.

“It is not a mandate. It is a recommendation to which companies should abide. There’s nothing that says you have to do it other than common sense and an effort to keep your company from being sued for securities fraud,” said Richard Bortnick, Esq., of Cozen O’Connor, speaking at the NetDiligence® Cyber Risk & Privacy Forum on June 5.

The SEC released CF Disclosure Guidance: Topic No. 2 Cybersecurity on Oct. 13, 2011, which lays out the SEC’s Division of Corporation Finance’s view regarding disclosure obligations related to cybersecurity risks and cyber incidents. The Guidance followed an investigation by a group of U.S. Senators who found that cyber risks and events are improperly reported and that 40 percent of companies do not report cyber risks. They asked the SEC to issue “guidance regarding the disclosure of information security risk, including material network breaches.”

“Disclosing material information is a historical requirement based on the 1934 Securities and Exchange Act. Unfortunately, a study by the Senate Commerce Committee suggests that in spite of regular occurrences of significant breaches, losses, and risks, many companies were not disclosing material information as it pertains to cybersecurity risks and events,” said Jacob Olcott of Good Harbor Consulting.

Olcott said that the losses that weren’t being disclosed included cyber-enabled theft of valuable intellectual property, business secrets, trade secrets, and sensitive transactional information. “It’s the pharmaceutical formulas. It’s the next-generation research and development designs and blueprints—those are the things that are being stolen and those are the things that are not being disclosed today to investors.” he said.

Under the SEC’s guidance, Bortnick said, “Public companies should be prepared to talk about cyber incidents—prior incidents, potential future incidents. Public companies also should address their existing security processes and procedures. And, perhaps most importantly, companies should be prepared to disclose information about their relevant insurance.”

If you’re a public company the suggestion is—and I would go so far as to say not just a suggestion, the best practice mandate is—you’d better have insurance,” he said. Bortnick also said that even privately held companies should take heed of the SEC’s Disclosure Guidance. “If you are a private company and you are a contract partner with a public company that has these disclosure obligations, that public company is going to need you … to tell them about your exposures and risks and insurance because it may be material to and bear on your partner’s evaluation of its own business and exposures and SEC disclosure obligations,” he said.

And it should be stressed … whether you’re mom and pop, or whether you’re Fortune® 50, if you want to do business in a global economy, then you really need to perform these assessments and be prepared to disclose the relevant information. To the extent you’re ignoring the SEC’s disclosure suggestions you’re making a big mistake on many levels. Indeed, beyond potential SEC exposures, you need to do the assessments and be prepared to make the necessary disclosures because your current and future business partners are going to require you to advise them of that information in order to make their own internal assessments and, in turn, publish their own SEC disclosures in compliance with the Guidance,” Bortnick continued.

Olcott said that the Guidance represents a “new way of thinking about cyber risk.” He said that many companies maintain information security programs that are designed to protect custodial data, including payment card information, Social Security numbers and healthcare information. But companies need to go beyond custodial information to protect the information and assets that are essential to the financial growth of the business. “It’s important to keep doing what you did, because you have obligations under state law and PCI [the Payment Card Industry Data Security Standards]. But this is about understanding the cyber risk to the business itself. And how cyber risk can impact business operations, financial returns, and legal liabilities,” said Olcott.

Bortnick agreed about the significance of the guidance to companies.

“I think as much as anything, this was designed to put cyber exposures on the radars of the C-level executives. Heretofore, cyber-related issues were within the province in the IT department. Conversely, management and board members really didn’t focus on IT. In fact, the only time they focused on IT was when they were slashing budgets,” he said.

“The guideline may be a best practice, but if something happens and you haven’t implemented best practices and then get sued, what are the plaintiff lawyers going to say? The plaintiff lawyers are going to say, ‘they didn’t implement best practices, they were negligent,’” said Bortnick.