A new interpretation of how companies must disclose to investors their risk from cyber attack could be a huge change for corporate America.
Earlier this month the Securities and Exchange Commission issued a new guidance document on what companies must share with shareholders when it comes to cyber security breaches.
It’s not a new rule, says John Reed Stark, a 20-year veteran of the SEC who now works with security firm Stroz Friedberg. Rather it’s more like a statement from SEC staff stating what it believes the current interpretation is for companies to report either a cyber attack or their risk of a cyber attack to shareholders.
In the past companies defined whether an event or risk was “material” (and thus needed to be reported) if it was believed it would have an impact on 10 percent of a firm’s revenue or profits, Stark said. It’s a rough approximation that gave companies a great deal of latitude.
The new guidance, however, essentially says companies need to warn investors if they have any risk of cyber attack. They don’t have to spell out the specific risks or even the specifics how an actual attack occurred. But they can’t be completely vauge either, says Stark.
“In our view cyber attacks are not a question of ‘if,’ but a matter of when,” Stark said. “It’s pretty broad and extreme, and it will shock a lot of companies.”
For energy companies in particular cyber threats have become a top priority, according to attendees at a recent FBI security event in Houston. This is both in terms of outside attackers trying to infiltrate a company’s systems and employees within trying to steal data to sell to outsiders.
But some companies have not taken the threat seriously enough, or have failed to thwart attacks, as has been seen with data theft from comsumer credit card companies in recent years. Even the SEC had a system with employee information hacked this year.
“These are not teenage hackers in basements. These are sophisticated, well-organized cyber attacks that are evolving into significant threats,” Stark said.
The new interpretation appears to have come at the behest of Sen. Jay Rockerfeller (D-W.Va.), who has been concerned companies have had many security breaches and failed to adequately warn both customers whose data was breached and investors.
“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” Rockefeller said in a statement. “Intellectual property worth billions of dollars has been stolen by cybercriminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”
Stark warns the new SEC interpretation will also open the door to lawsuits from class action lawyers and motivate company whistle blowers to step forward and report previously undisclosed security breaches or risks.
“It’s an All Points Bulletin for whistle blowers who know of a data breach that hasn’t been disclosed because they are now eligible for 30 percent of any penalty assessed against a company,” Stark said.
The way the SEC released the guidance can be a particular annoyance to companies. It wasn’t first discussed in a speech by a commissioner as a warning to companies, as has happened in the past, or introduced as a draft proposals. Rather, the statement from staff simply appeared on the SEC web site essentially saying “this is the way the disclosure rule should have been interpreted in the past,” Stark said.
What happens next? Stark says from his experience at the SEC there’s often a tendency to want to find a case that illustrates the newly interpreted rule and make that company an example as a way to get other companies in line in a hurry. That could mean acting on any potential whistle blower-referred cases quickly and in a very public manner.
This likely has companies scrambling to figure out what kind of disclosures they need to make ASAP, as well as trying to find the technical expertise to adequately assess and monitor their risks.
The second half of that effort — assessing risk and monitoring them — will be particularly challenging. When a company experiences a cyber attack it often takes a long time to even detect it, and once it is detected it can be a while before it is properly understood.
“One day you think the incident was ‘alpha,’ after a few days of investigating you think it’s ‘omega,’ and then you find you’re back thinking ‘alpha’ the next week,” Stark said.