Saturday, November 19, 2011

SEC Guidance Emphasizes Materiality for Cyber Incidents

Senator Jay Rockefeller and Secretary Michael Chertoff wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best article I've seen yet on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SEC last month in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir article A new line of defense in cybersecurity, with help from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SEC:

Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility...

Until recently, this responsibility may have been unclear — or unknown — to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 directors and officers of publicly traded companies. But on Oct. 13, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.

Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average investor would want to know before making an investment decision. But before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se risks for years.

This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 significant loss of a company’s intellectual property — will affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of a company, because existing or potential investors will reconsider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir investment decisions. Without detailed public information about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se events, investors are unaware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir risk-management practices.

The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of intellectual property is measured; whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r appropriate defenses are in place around that property; and whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage.
(emphasis added)

Make no mistake: this is a big deal. Until now "disclosure" laws have aimed at protecting consumers by making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir PII cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 important aspect of a digital incident.

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SEC guidance, we have a new audience for "disclosure" -- shareholders. The SEC is telling publicly traded companies that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have to disclose material cyber security incidents. Now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 battle to define materiality will begin.

2 comments:

Alex said...

Richard,

Great post! Security risk is material risk. Hopefully cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 required transparency will help some public companies reconsider poor funding and resourcing decisions with regard to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir defense.

-Alex

Anonymous said...

I wonder about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possiblity that publically traded infosec companies face double jeopardy, in that reporting a potential material breach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may also cast some doubt about effectiveness of product or services.