On February 21, the U.S. Securities and Exchange Commission (SEC) issued the long overdue cybersecurity interpretive guidance to address the methods and timing of cybersecurity risks and incidents disclosures. To signify the importance of this updated guidance, five SEC commissioners issued the guidance. The new guidance does not change any of the existing SEC rules, but it does address two new topics:
- Insider Trading
- Disclosure Controls and Procedures, including disclosing risks that have not yet been exploited by attackers
So why was this guidance necessary? If you will recall, Equifax CEO Richard Smith sold stock worth over $1.8 million after allegedly learning of the data breach and before making the information public. A similar incident also allegedly occurred recently at Intel related to Meltdown/Spectre. While we are not stating there was intentional wrongdoing, such transactions can be nevertheless perceived as inappropriate and do considerable damage to company brand reputation.
There is a section in the new SEC guidance that I foresee as a trouble spot for organizations. It states,
“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we “emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.
"Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”
I would like to highlight two examples of disclosures. In the 2016 Target financial statement (10K) under the Data Security and Privacy Risks section, it states,
“If our efforts to protect the security of information about our guests, team members and vendors are unsuccessful, we may face additional costly government enforcement actions and private litigation, and our sales and reputation could suffer… Until the data breach we experienced in the fourth quarter of 2013, all incidents we encountered were insignificant. The data breach we experienced in 2013 was significant and went undetected for several weeks. Both we and our vendors had data security incidents subsequent to the 2013 data breach; however, to date these other incidents have not been material to our consolidated financial statements. Based on the prominence and notoriety of the 2013 data breach, even minor additional data security incidents could draw greater scrutiny. If we, our vendors, or other third parties with whom we do business experience additional significant data security breaches or fail to detect and appropriately respond to significant data security breaches, we could be exposed to additional government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their information, which could cause them to discontinue using our REDcards or loyalty programs, or stop shopping with us altogether.”
In comparison, here is Amazon’s 2015 and 2016 disclosure under Risk Factors (1A) related to data loss and security breaches:
“As a result of our services being web-based and the fact that we process, store, and transmit large amounts of data, including personal information, for our customers, failure to prevent or mitigate data loss or other security breaches, including breaches of our vendors’ technology and systems, could expose us or our customers to a risk of loss or misuse of such information, adversely affect our operating results, result in litigation or potential liability for us, and otherwise harm our business. We use third-party technology and systems for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, and other functions. Some subsidiaries had past security breaches, and, although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future. Although we have developed systems and processes that are designed to protect customer information and prevent data loss and other security breaches, including systems and processes designed to reduce the impact of a security breach at a third-party vendor, such measures cannot provide absolute security.”
Now referring back to the above SEC’s requirement of tailored disclosures, without boilerplate language, this is a tall order, and a significant departure from how enterprises have disclosed in the past. It will require greater than ever involvement of cybersecurity experts in the financial reporting process. I would expect that CPAs are working hard to figure out what this means for them.
Cybersecurity security experts are not usually deeply involved in financial statement audits and the creation and interpretation of Disclosure Statements, not to mention that not many security consultants have the business domain expertise to render such Disclosure Statements.
From our view, the SEC guidance will also require organizations to have an Incident Response Plan (IRP) in place, be very well-versed in their plan, and have conducted table top exercises to be ready to respond to incidents. The SEC guidance requires that there is a fast-response team at the ready to understand the details of the breach and/or inherent risks (a mature cybersecurity function); and that this team is funneling this information through the proper executive and legal channels for internal halts on trading and communications planning; and that a full incident communications plan with owners is ready to communicate externally through the proper channels in a highly responsive, well-tuned fashion. Any organization that does not have an IRP should consider implementing one, or engaging a third-party expert to assist.
I’m looking forward to seeing AICPA’s implementation guidance on this matter. Interesting times ahead.