Companies, in general, have some level of unrecognized cyber risk and have not fully disclosed those risks and risk management plans to boards or external stakeholders, including clients, partners and shareholders. Now, publicly-traded companies have to disclose cyber risks in financial statements. On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that assists registrants in assessing what disclosures should be made in the face of cyber security risks and incidents.
While cyber risk for financial records has been part of the financial audit and reporting process since the early SOX 404 days, these new requirements for disclosure represent a broader impact to operations and a more stringent standard for analysis and reporting. The guidance provides an overview of disclosure obligations under current securities laws emphasizing that registrants should disclose the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” Registrants are expected to evaluate security risks, and if a registrant determines that disclosure is required, the registrant is expected to “describe the nature of the material risks and specify how each risk affects the registrant,” avoiding generic disclosures.
The SEC indicated that in analyzing cyber security risks and whether that risk should be reported, registrants should take the following into account:
- prior cyber incidents and the severity and frequency of those incidents;
- the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
- the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
Additionally, the guidance advises registrants to address risks and incidents in their MD&A “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.” Other situations requiring disclosure include if one or more incidents has materially affected a registrant’s “products, services, relationships with customers or suppliers, or competitive conditions” and if an incident is involved in a material pending legal proceeding to which a registrant or any of its subsidiaries is a party. Registrants are also expected to disclose certain security incidents on financial statements, as well as the effectiveness of disclosure controls and procedures on filings with the SEC. As a result, most public company breach notification and incident response plans will have to be updated.
The guidance will likely cause companies to more carefully forecast and estimate the impact of cyber incidents and the consequences of failing to implement adequate security. This analysis will go well beyond the current focus on privacy-related security issues and require analysis of key operational issues impacted by security breaches. It will be interesting to see how this affects the internal corporate dynamics between CIOs and their business counter-parts.
In some organizations, the general counsel will ask the CIO how the security program is operating and the CIO may provide an operations-level report that may not fully address this requirement. The risk management discussion must include not only technical controls but also other process controls, which could be outside the direct oversight of the CIO. This is truly a cross-functional requirement that will include the CIO as well as other members of the executive team. Some scoping questions that are inherent in the SEC guidance to manage risk have been listed below.
- What types of sensitive data does the company collect, process, store or transit?
- What critical operations are supported by IT that may cause significant damage to third parties (i.e. critical infrastructure)?
- How does the organization map its data flows to determine critical segments for enhanced protection?
- What process does the company use to manage risk identification and risk management planning and what reports are generated to provide transparency to company governance structure?
- When is the last time the executive team participated in the company Incident Response and Data Breach Notification exercise process? Do you know where to get a copy of the Incident Response Plan?
Many companies, to include Heartland Payment Systems, thought they were managing risks commensurate to industry standards only to incur a significant data breach. Sony, TJ Max and others were in the same situation. Clearly, their risk management plans were not adequate and the transparency of both the risk and control effectiveness was not reported in a manner where executive oversight was possible. At Heartland, the company had implemented several security programs that were audited and reported to be compliant with industry standards. In short, the company was not completely unprepared. In fact, Heartland was operating a security program that was well above most programs today. Unfortunately, the lack of oversight from the top resulted in sub-optimized performance at the operations level and residual risks were present. Those risks resulted in a data breach that likely could have been prevented. This disclosure requirement is intended to help identify those risks and inform key stakeholders on the effectiveness of management control of the risks.
Some risk may not be economically mitigated. That accepted risk has to be disclosed to shareholders or investors as a part of the Management Discussion in financial statements going forward. The inherent risk of each company’s exposure to cyber risks can be easily stated. However, the adequacy and effectiveness of risk mitigation or compliance efforts will take a higher level of analysis and reporting that likely occurs today in many organizations. These changes to corporate governance may be minor in some organizations and significant investments in others. However, the path is clear. Accountability for cyber risk has fully migrated from the data center to the boardroom.
Click here for the full Appendix A – SEC Cyber Risk Disclosure Guidance