The SEC issued guidance in 2011 about disclosures in financial filings related to cyber security and breaches, and recently they’ve started highlighting issues that have come to their attention.
The SEC issued 50 comments to public companies over the last year asking for specific disclosure on breaches. It’s clear they want to know if breaches have occurred.
It’s no longer sufficient to just include cyber security in a general discussion about risk of a breach in SEC filings — they expect companies to separate cyber risk from other business risks and disclose all material breaches.
The impact of this guidance and the subsequent disclosures it will trigger is going to create some interesting dynamics in year two and three after filing.
Suppose an organization discloses the risk of breach, but no specific breaches in base year filings. Subsequently, the organization discovers a breach in year two or later filings. The disclosure of this new information will definitely raise critical questions about the organization’s level of ‘due care’ in their information security and risk programs.
These questions in turn will drive more specific questions about the foundational security controls in place, and the organization’s ability to interpret and react to rapidly changing cyber security threats.
Depending on the answers to these questions, and subsequent risk assessments that will result from this deeper level of scrutiny inside and outside the organization, I believe some business facts will become clear to executive management teams:
- Just as in other financial business processes, every organization is going to have to prove they are operating with the appropriate level of due care with respect to cyber security.
- In the same way financial processes are expected to follow Generally Accepted Accounting Principles (GAAP), cyber security standards will emerge as the go-to standards for due care. The SANS Top 20 Critical Security Controls is an excellent candidate to become the first cyber security standard used to evaluate due care.
- In response to new levels of oversight, organizations will adopt a more rigorous level of review of the business risks associated with cyber security from the Board level to the executive team and the audit and risk committees responsible for the programs.
The SEC has also indicated interest in data breaches that were brought to a company’s attention through a third-party brought. In these cases, the SEC may request disclosure that details the reasons behind why the company was initially ignorant of the breach.
There are many organizations that fall into this category. We’ve already seen a number of organizations notified by a Federal agency that a breach has occurred in their organization or that a breach is likely.
These changes are already in process and promise to bring a whole new level of scrutiny to cyber security risk and intelligence. They also promise much more rapid adoption of security controls and standards that support the best security risk intelligence and fastest possible discovery and mitigation of breaches.
Is your organization ready?
Title image courtesy of ShutterStock