New SEC cybersecurity guidance has impact -- and cost -- yet no rule change

By establishing that cyber intrusions can't be presumed to be immaterial, such threats are now front and center when it comes to reporting.

By Karen M. Kroll, CFOworld |  Security, cybersecurity, SEC

The disclosure guidance on cybersecurity issued last month by the Securities and Exchange Commission's Division of Corporation Finance is a "game-changer," says Alan Paller, director of research with SANS Institute, a security research and education organization. But not because the rules are now different. In fact, they're not. Rather, what's significantly new is the way the existing rules are perceived.

For most public companies, in the past "the presumption was that (cyber intrusions) were not material," says Paller. "The guidance says that presumption was wrong."

The new guidance takes the position that companies should disclose the risk of cyber risks and cyber incidents if that risk makes an investment in the company speculative or risky. While public companies should avoid "generic risk disclosures," they also are not required to initiate disclosures that would, in themselves, compromise the company's cybersecurity. [Who's quoted? Paller?]

'I'll Be Watching You'

The idea that companies need to report situations or issues that can pose a material risk to the organization's ability to make money is hardly novel, of course. The way David Navetta sees it, the difference now relates to the much greater significance of the disclosure requirements. "The SEC put the financial community on notice that these are serious," according to Navetta, a founding partner with the Information Law Group, and a Certified Information Privacy Professional. "You've got the Robert De Niro moment, 'I will be watching you'," he says, referring to a line from the movie "Meet the Parents."

While the SEC's new guidance doesn't constitute regulation, CFOs shouldn't underestimate its impact. "When something goes wrong, the voluntary nature of the word 'guidance' becomes a little less relevant," Navetta says. "Think of it as requirement, versus guidance."

What's more, the cybersecurity risks about which the SEC is concerned extend beyond potential leaks of consumer data, things like credit card numbers that a company may transmit or store, says Cynthia J. Larose, a member of the corporate and securities section at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C., and chair of the law firm's privacy and security practice. If, for instance, an intellectual property breach would pose a risk, it needs to be disclosed. "You have to look at cyber risk as holistic," Larose says.

The Cost-of-Security Obstacle

Originally published on CFOworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question