by Vince Crisler
Recent guidance from the SEC
establishes new responsibilities for corporations. Public companies are
expected to disclose all cyber security risks and cyber incidents that a
reasonable investor would consider important in making an investment decision
or if the information would significantly alter the total mix of information
Recent guidance from the
Securities and Exchange Commission's ("SEC") establishes new
responsibilities for corporations. Public companies are expected to disclose
all cyber security risks and cyber incidents that a reasonable investor would
consider important in making an investment decision or if the information would
significantly alter the total mix of information made available. Corporate
counsel, directors, senior management, and information security professionals
should reassess and evaluate corporate disclosure practices with this guidance
in mind. Public corporations must be prepared to report cyber incidents within
days after their occurrence.
Cyber security presents an enormous challenge to corporate counsel, directors,
officers, and information security professionals. Corporations are constantly
defending themselves against attacks from hackers and malicious software.
Attacks may result in disruptions to corporate networks and the compromise of
trade secrets, intellectual property, and financial and confidential data.
Millions of dollars are spent to prevent and mitigate these attacks and to
repair the resulting tangible and intangible damage to corporations.
Understandably, investors are enormously concerned about the risks, costs, and
liabilities associated with cyber security. Remediation costs, business
interruption, security costs, lost revenues, litigation costs, and reputational
damage can weigh heavily on corporate earnings and adversely affect the price
of their stock.
Before October 2011, the SEC guidance was ambiguous concerning the disclosure
of the risks associated with cyber security and the threats posed by hackers
and malicious software. Nonetheless, there was a growing trend among leading
technology companies to include cyber security risks and threats in their
disclosures. Microsoft warned investors that security vulnerabilities in their
infrastructure could lead to the theft of intellectual property, reduced
revenues, liability claims, or competitive harm. The company disclosed the risk
of attacks to their networks and data centers and the threat of a coordinated
denial of service attack by hackers. Microsoft also discussed the resources
devoted to protecting their networks and its strategy to adopt new technologies
and systems to deter and defend against attacks. Similarly, in 2010, Google
unexpectedly announced an attack targeting its e-mail system. Google's
disclosure released details of the attack and the findings of their internal
investigation. The company informed investors about the risk to Google's
intellectual property and the company's strategy to secure its networks against
other attacks. These disclosures created a baseline for what the SEC has come
to expect from public companies.
Access the full version of "New Cyber Security Disclosure
Guidance from the SEC" with your lexis.com ID. Additional fees may be
If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.
Lexis.com subscribers can access the complete
set of Emerging Issues Analyses for Cyber & E-Commerce Law and
the Cyber & E-Commerce Area of law page.
For more information about LexisNexis
products and solutions connect with us through our corporate site.
Vince Crisler joined Zeichner Risk Analytics, LLC in April 2009 as the Senior
Director, Cyber Initiative Programs. Prior to accepting this position, Vince
served in two different leadership roles at the Executive Office of the
President (EOP). Most recently, he served as the Director of Customer Advocacy
and was responsible for standing up a new customer-focused directorate in the
Office of the Chief Information Officer using Customer Relationship Management
principles. Additionally, he served as the Director of Information Assurance and
led a significant modernization program overhauling IT Security to include the
creation of the first-ever 24x7x365 Security Operations Center for the EOP. His
efforts included significant work with the Department of Homeland Security, the
National Security Counsel, the Homeland Security Counsel, the National Security
Agency and the Defense Information Systems Agency.Prior to joining the EOP, Vince was an Officer in the United States Air
Force and served in the White House Communications Agency, the National Military
Command Center in the Pentagon and Ramstein Air Base in Germany. Vince graduated
from The Ohio State University with a degree in Computer and Information
Science.Information referenced herein is provided
for educational purposes only. For legal advice applicable to the facts of your
particular situation, you should obtain the services of a qualified attorney
licensed to practice law in your state.
more information about LexisNexis products and solutions connect with us
through our corporate site.