New SEC Cyber Risk Disclosure Guidance: What Does It Mean for Public Companies?

February 28, 2018, Nick Son, Vice President, Cyber Risk Services, Coalfire

On February 21, the U.S. Securities and Exchange Commission (SEC) issued the long overdue cybersecurity interpretive guidance to address the methods and timing of cybersecurity risks and incidents disclosures. To signify the importance of this updated guidance, five SEC commissioners issued the guidance. The new guidance does not change any of the existing SEC rules, but it does address two new topics:

  • Insider Trading
  • Disclosure Controls and Procedures, including disclosing risks that have not yet been exploited by attackers

So why was this guidance necessary? If you will recall, Equifax CEO Richard Smith sold stock worth over $1.8 million after allegedly learning of the data breach and before making the information public. A similar incident also allegedly occurred recently at Intel related to Meltdown/Spectre. While we are not stating there was intentional wrongdoing, such transactions can be nevertheless perceived as inappropriate and do considerable damage to company brand reputation.

There is a section in the new SEC guidance that I foresee as a trouble spot for organizations. It states,

“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we “emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.

"Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.”

I would like to highlight two examples of disclosures. In the 2016 Target financial statement (10K) under the Data Security and Privacy Risks section, it states,

“If our efforts to protect the security of information about our guests, team members and vendors are unsuccessful, we may face additional costly government enforcement actions and private litigation, and our sales and reputation could suffer…  Until the data breach we experienced in the fourth quarter of 2013, all incidents we encountered were insignificant. The data breach we experienced in 2013 was significant and went undetected for several weeks. Both we and our vendors had data security incidents subsequent to the 2013 data breach; however, to date these other incidents have not been material to our consolidated financial statements. Based on the prominence and notoriety of the 2013 data breach, even minor additional data security incidents could draw greater scrutiny. If we, our vendors, or other third parties with whom we do business experience additional significant data security breaches or fail to detect and appropriately respond to significant data security breaches, we could be exposed to additional government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their information, which could cause them to discontinue using our REDcards or loyalty programs, or stop shopping with us altogether.”

In comparison, here is Amazon’s 2015 and 2016 disclosure under Risk Factors (1A) related to data loss and security breaches:

“As a result of our services being web-based and the fact that we process, store, and transmit large amounts of data, including personal information, for our customers, failure to prevent or mitigate data loss or other security breaches, including breaches of our vendors’ technology and systems, could expose us or our customers to a risk of loss or misuse of such information, adversely affect our operating results, result in litigation or potential liability for us, and otherwise harm our business. We use third-party technology and systems for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, and other functions. Some subsidiaries had past security breaches, and, although they did not have a material adverse effect on our operating results, there can be no assurance of a similar result in the future. Although we have developed systems and processes that are designed to protect customer information and prevent data loss and other security breaches, including systems and processes designed to reduce the impact of a security breach at a third-party vendor, such measures cannot provide absolute security.”

Now referring back to the above SEC’s requirement of tailored disclosures, without boilerplate language, this is a tall order, and a significant departure from how enterprises have disclosed in the past. It will require greater than ever involvement of cybersecurity experts in the financial reporting process. I would expect that CPAs are working hard to figure out what this means for them. 

Cybersecurity security experts are not usually deeply involved in financial statement audits and the creation and interpretation of Disclosure Statements, not to mention that not many security consultants have the business domain expertise to render such Disclosure Statements.

From our view, the SEC guidance will also require organizations to have an Incident Response Plan (IRP) in place, be very well-versed in their plan, and have conducted table top exercises to be ready to respond to incidents. The SEC guidance requires that there is a fast-response team at the ready to understand the details of the breach and/or inherent risks (a mature cybersecurity function); and that this team is funneling this information through the proper executive and legal channels for internal halts on trading and communications planning; and that a full incident communications plan with owners is ready to communicate externally through the proper channels in a highly responsive, well-tuned fashion. Any organization that does not have an IRP should consider implementing one, or engaging a third-party expert to assist.

I’m looking forward to seeing AICPA’s implementation guidance on this matter.  Interesting times ahead. 

Nick Son

Author

Nick Son — Vice President, Cyber Risk Services, Coalfire

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS