The Securities and Exchange Commission might have quietly overhauled the cybersecurity practices of every single publicly traded company that has an online network in the United States with a new set of guidelines it introduced on Thursday night, potentially paving the way for a flood of lawsuits against companies that fail to disclose to investors their cybersecurity risks and vulnerabilities.
The new “CF Disclosure Guidance” document, posted Thursday online, isn’t “rule, regulation, or statement,” as the SEC takes care to point out in the opening section. It also doesn’t necessitate that companies list in detail every single risk or vulnerability, only those that present material risks - i.e. a potential for huge financial losses. The SEC doesn’t want companies to list every risk though because it is concerned about providing attackers with a “roadmap” for future attacks.
But if companies are found to have not broadly disclosed material cyber risks, the new guidance could be used as the basis of lawsuits from shareholders in the wake of expensive company data security breaches, such as the infamous hacking and month-long down time of the Sony Playstation Network in April, which cost Sony an estimated $170 million dollars.
That’s at least the word of one leading privacy and data security lawyer in Washington. As Christopher Wolf explains in his post on the Hogan and Lovell firm’s website:
This SEC Guidance is likely to result in public corporations engaging is a substantial and detailed assessment of their cybersecurity risks to determine if public disclosure is required, and may lead to a litigation trend of plaintiffs suing corporation following a data security breach, alleging that the risks of such a breach were not properly assessed or disclosed.
As Wolf told TPM via email: “The Guidance is not limited to technology companies or the telecom sector. Any public company that has potentially vulnerable networks is subject to the Guidance.”
However, consumers are unfortunately unlikely to benefit much from the new guidance. As Wolf noted: “Disclosure to customers of breaches is governed by 48 separate state data security notification laws, and the triggers for notification are different than the reporting suggested by the Guidelines. “
It’s long been SEC policy that companies need disclose any real life accidents that could affect their overall financial performance, as InfoWeek points out. And in 2010, the agency released new disclosure guidance on the material risks posed by climate change.
The new cybersecurity guidance is the result of a specific call by Senator Jay Rockefeller (D-WVA), who in May sent a letter to SEC Chairman Mary Schapiro requesting that SEC clarify its cybersecurity disclosure guidance. On Friday, he released the following statement applauding the SEC’s move, as reported by SC Magazine:
“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them. Intellectual property worth billions of dollars has been stolen by cybercriminals, and investors have been kept completely in the dark. This guidance changes everything.”
Indeed, most cyber security breaches on public companies go unreported. Only 100 of 1,000 global companies reported all of their breaches, according to a 2011 report by cyber security company McAfee. (H/T: The Huffington Post.)
The cybersecurity guidance, which Wolf notes is the first of its kind for the U.S., includes such strong language as “we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents” and “the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”
So in the case of a company like Sony, which has suffered a long list of attacks this year (including one attempt reported on Tuesday) alone, the list of “all available relevant information,” would be quite long indeed and the “probability of cyber incidents occurring” would be quite high.
As for what companies are asked to disclose, the SEC also gets fairly specific, naming the following five bullet points as the bare minimum:
Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
Risks related to cyber incidents that may remain undetected for an extended period; and
Description of relevant insurance coverage.
Even more potentially worrisome to such companies is the fact that the new guidance could potentially be retroactive, allowing shareholders to go back and find cases where a company failed to properly disclose material risks and then was hacked or suffered another cybersecurity attack that caused its shares to lose value.
As Wolf explained to TPM: “I can imagine a lawsuit arising from a breach that already has occurred, where no disclosure is made in SEC filings and where investors claim that the shares of their stocks were adversely affected by the breach.”
“The Guidance surely is a wake-up call to securities lawyers in the tech sector to evaluate cybersecurity risks in terms of materiality,” Wolf told TPM.
And yet, if the climate change disclosure guidance is any indication, the new legislation may not be as helpful to investors as they might hope. As a February 2011 report from nonprofit environmental sustainability organization Ceres found: “Although public companies’ climate reporting has improved somewhat in recent years, it remains true that disclosures very often fail to satisfy investors’ legitimate expectations.”
TPM has reached out to Sony to see how it is responding to the news and will update when receive a response.