November 07, 2011, 3:02 PM — The disclosure guidance on cybersecurity issued last month by the Securities and Exchange Commission's Division of Corporation Finance is a "game-changer," says Alan Paller, director of research with SANS Institute, a security research and education organization. But not because the rules are now different. In fact, they're not. Rather, what's significantly new is the way the existing rules are perceived.
For most public companies, in the past "the presumption was that (cyber intrusions) were not material," says Paller. "The guidance says that presumption was wrong."
The new guidance takes the position that companies should disclose the risk of cyber risks and cyber incidents if that risk makes an investment in the company speculative or risky. While public companies should avoid "generic risk disclosures," they also are not required to initiate disclosures that would, in themselves, compromise the company's cybersecurity. [Who's quoted? Paller?]
'I'll Be Watching You'
The idea that companies need to report situations or issues that can pose a material risk to the organization's ability to make money is hardly novel, of course. The way David Navetta sees it, the difference now relates to the much greater significance of the disclosure requirements. "The SEC put the financial community on notice that these are serious," according to Navetta, a founding partner with the Information Law Group, and a Certified Information Privacy Professional. "You've got the Robert De Niro moment, 'I will be watching you'," he says, referring to a line from the movie "Meet the Parents."
While the SEC's new guidance doesn't constitute regulation, CFOs shouldn't underestimate its impact. "When something goes wrong, the voluntary nature of the word 'guidance' becomes a little less relevant," Navetta says. "Think of it as requirement, versus guidance."
What's more, the cybersecurity risks about which the SEC is concerned extend beyond potential leaks of consumer data, things like credit card numbers that a company may transmit or store, says Cynthia J. Larose, a member of the corporate and securities section at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C., and chair of the law firm's privacy and security practice. If, for instance, an intellectual property breach would pose a risk, it needs to be disclosed. "You have to look at cyber risk as holistic," Larose says.
The Cost-of-Security Obstacle