Should Public Companies Have To Disclose Cybersecurity Risks And ‘Cyber Incidents’?
.jpg)
News that the Obama administration contemplated a “cyberwar” on Libya is yet another example of the reliance that we – individuals, countries, and corporations – all have on technology. Everyone knows that. Now, though, the SEC’s Division of Corporation Finance is proposing to require that public companies disclose more information about cybersecurity “risks” and “cyber incidents.”
In particular, the Division is proposing that public companies should disclose the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” In determining whether risk factor disclosure would be required, it says that it expects companies would evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.
Moreover, it is proposing that, depending on a company’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
· Discussion of aspects of the company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
· To the extent the company outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
· Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
· Risks related to cyber incidents that may remain undetected for an extended period; and
· Description of relevant insurance coverage.
Should this information be kept confidential? Does it do more harm to a company and its shareholders if revealed than if management focuses on dealing with the issues? Perhaps these questions will be addressed before the proposal becomes final.
Bookmark/Search this post with
Comments
Publisizing Cyber-risks
Should investors be made aware of risks associated with cyber-crime? Absolutely. If the affect of the attacks is material or has a high possibility to be material, then it needs to be disclosed. The attacks on Sony and the repercussions from them are a perfect example.
Should technical details identifying specific risks and how they are addressed be announced? I don't think so. Just like companies don't publicize when non-customer doors are unlocked or when a dead-bolt isn't functioning properly, you don't want to give potential hackers info that will help them get in. But don't investors have the right to know that a problem exists, or that it is properly taken care of, you say? Yes. I think if cyber-security issues present a real and material threat to the profitability of the company, then they should regularly audit their systems in a manner similar to their book, and acquire a statement from a neutral company stating that the systems have been reviewed and the likelihood and costs of potential risks have been factored into the financial statements. No disclosure discussing specific weaknesses or countermeasures are revealed. This offers protection to both the company and the investor, and should meet the needs that the elevated levels of cyber-crime warrant.