During a conference on director's and officer's insurance, I learned that “CF Disclosure Guidance: Topic No. 2, Cybersecurity,” issued by the U.S. Securities and Exchange Commission (SEC) in October, is a really big deal.
First, lawyers who read the language in the SEC guidance treated it as a “stop whatever you're doing and read this” moment. The lawyers I spoke with said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a “clarification” or restatement of existing guidance.
Second, the SEC language will encourage shareholder lawsuits against companies by disgruntled parties who believe boards are not disclosing risks and actual breach details to investors.
Third, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff to organizations like the SEC Office of the Whistleblower (that is a real organization). In the seven weeks beginning with this new office's launch in August 2011, parties reported 334 tips from 37 states and 11 countries, with successful enforcement actions in up to 30 percent of cases.
Although it doesn't appear that this new federal office has rewarded any whisteblowers yet, it is apparently gearing up to do so. Imagine a future case where someone on a security staff believes that management is not attending a breach as he or she believes it should be treated and decides to report the incident to the SEC – with the possibility of a payout waiting.
Right now, Congress doesn't seem to believe that the SEC rules are working. At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents – despite new guidance from securities regulators urging such disclosures.
Additionally, top U.S. cyber security officials believe corporate hacking is widespread, and the SEC issued a lengthy “guidance” document on Oct. 13 outlining how and when publicly traded companies should report hacking incidents and cyber security risk.
“It's crucial that companies are disclosing to investors how cyber security risks affect their bottom lines, and what they are doing to address those risks.”
– Jay Rockefeller, D-W.V., Senate Commerce Chairman
But, with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.
Now, Senate Commerce Chairman Jay Rockefeller, D-W.V., thinks the SEC needs to ensure hacked companies are adequately informing their investors about when they suffer a security breach or cyber security risk that could jeopardize their financial standing.
The senator wants the full commission to issue guidance for companies on when they have to report breaches or threats and what steps they're taking to minimize the risks.
“It's crucial that companies are disclosing to investors how cyber security risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said in a statement.
He will soon introduce an amendment that calls on the SEC to issue interpretive guidance on when companies must disclose cyber security risks and intrusions. Staffers for the Commerce Committee are finalizing the amendment and aim to introduce it before a cyber security bill introduced by Sen. Joe Lieberman, I-Conn., goes to the floor.
This is the sort of activity that I believe is going to mark a sea change in digital security over the coming years. I don't expect engineering or technical developments to have anywhere near the same level of impact as issues that involve legislators, lawyers, insurers, and financiers. Stay tuned!
Richard is chief security officer at Mandiant and author of the TaoSecurity blog. A version of this piece was originally posted there.