Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, October 20, 2011

New SEC security breach rules no big game changer, experts say

Late last week the Securities and Exchange Commission issued new guidance informing public companies that, under certain circumstances, they may need to disclose cyber breach information, or even potential security breaches, if there is a certain level of risk of financial impact to corporate earnings.

“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.  Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences,” the SEC explained.

David Navetta, a founding partner of the Information Law Group, and Nicole Friess, an associate at the law firm, wrote in their blog, “SEC Issues Guidance Concerning Cyber Security Incident Disclosure,” not to expect a wave of new public security breach disclosures from listed companies as a result of the SEC guidance.  “While cyber security risk has always been a potential financial disclosure issue, and something that directors and officers need to take into account, the SEC guidance really highlights the issue and brings it to the fore.  Even so, materiality is still going to a big issue, and not every breach will need to be reported as many/most will not likely involve the potential for a material impact to a company,” they wrote.

“It’s not as if companies are not already expected to report a breach that is material to earnings, such as Heartland, TJX, and many others have in the past.  What the SEC has done is underline that IT security risks to materiality are no different than any other types of risks and need to be considered as such,” he says.

While we may not see a wave of new breach disclosures, Navetta and Friess estimate that many firms are not as prepared internally as they need to be in order to determine the potential impact of IT security breaches.

Posted on 10/20