Following the UK’s Information Commissioner’s call for compulsory audits and Disclosure Laws in France and Germany the US Securities and Exchange Commission (SEC) has release a statement containing Disclosure Guidance.
In setting the scene for their Gisclosure Guidance the SEC points out the risks and results of a Cyber attack,
Victim(s) to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused.
- Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Reputational damage adversely affecting customer or investor confidence
When identifying the situations when a post Cyber Attack disclosure is required the SEC notes the following:
- Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
- Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
- If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s “Description of Business.”
- If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its “Legal Proceedings” disclosure.
- To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.
As with other governmental “guidance”, the overall theme is slightly vague. Even the initial summary raises the question “why offer the guidance if it has no meaning or enforcement“.
“This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.”
It is going to take an organisation to suffer a data breach and then not deal with the resulting fall-out in a professional and appropriate way for the SEC to step in and make an “example” of them. Then the case will be proven and the vagueness will be taken out of the guidance, hopefully.
As always, the answer is prevention it is better than the cure. Some simple precautions are below:
- Policies. Ensure your staff know how to deal with data and to know what to if a breach of suspected breach occurs
- Procedures. Documented and test procedures for data handling, change management, etc
- Security Solutions. Do not rely on Anti Virus and Firewalls, implement access controls, Security Information & Event Management (SIEM) and of course Encryption.
- Audits. Regular and thorough audits or people, processes and solutions
- Incident response planning and testing. No matter how much time and money is invest in prevention things can go wrong and it is how an organisation deals with the incident that can be the difference a good or bad outcome.
The SEC’s full statement is here.