One of the things that can make assessing the overall state of system and network security difficult is the reluctance of some organizations to reveal that they have been attacked. Sometimes, they prefer to keep the attack secret, or at least try to, presumably because they feel that disclosure would be embarrassing and damaging to their public image. Some state laws require disclosure, especially in cases where personal data is exposed, but even in these cases there is a tendency to do the least disclosure possible.
Public corporations — those whose stock is publicly traded — have for many years had a duty, under US securities law and associated regulations, to disclose material events that might affect the firm’s business or prospects. For example, if another firm were to introduce an improved competing product, or if the corporation were sued on the grounds of patent infringement, a disclosure to investors would be required.
Now, according to an article at ThreatPost, the Kaspersky Lab security news service, the US Securities and Exchange Commission [SEC] has issued guidance that suggests circumstances under which corporations may need to disclose attacks, or potential attacks.
The Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack–or even a potential attack–in order to make potential investors aware of possible risks to the company’s business.
The SEC has issued the material as guidance, not as a regulation. It is still up to the companies themselves to determine exactly what they should disclose; but the publication of this guidance will probably motivate a bit more openness. As the actual guidance document says, the disclosure determination is to be made within the framework of existing law and regulation.
Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.
We live in an environment where people, and companies, are becoming more and more reliant on technology to carry our their everyday business; moreover, businesses in general actively promote conveniences made possible by technology. So I think there can be little argument that a system security breach could potentially have a very material effect on a firm’s prospects, and I welcome this move by the SEC as a logical extension of the disclosure framework that has been in place for many years.