SEC Disclosure Guidelines for Cybersecurity

24 02 2012

In a recent article, the Wall Street Journal reported that though Nortel had been aware of a long term security breach and had conducted its own investigation into the situation, they chose not to disclose the incident or investigation to any of its potential buyers.   The security breach was discovered in 2004 when an employee noted that a senior leader appeared to be downloading what was considered to be an unusual set of documents.  When questioned, the executive said he had not downloaded the documents.  The security investigation showed that the incident was a result of hackers who had acquired the passwords from seven senior leaders including a previous CEO.  Using Chinese-based Internet addresses, the hackers had had access to the Nortel network and its equipment starting as early as 2000.   Since its bankruptcy in 2009, Nortel has been in the process of selling off its business in pieces.  In statements from Ericsson, Ciena, and Avaya, the new owners of Nortel’s business areas indicated that they had not been made aware of the security breach prior to their purchases of Nortel business and equipment potentially infiltrated by the hackers. (Gorman, 2012)

This lack of disclosure is indicative of companies’ lack of knowledge of the existing requirement to disclose security risk areas and specific security incidents in their annual Securities and Exchange Commission (SEC) filings.  To this point, the SEC felt it necessary to create a memo that provides guidance on the type of cybersecurity incidents that need to be disclosed and the associated financial information to be included.  In October 2011, the Division of Corporation Finance within the Securities and Exchange Commission published a memo with disclosure guidelines related to cybersecurity risks and incidents.  The memo points out that these types of events have always been in scope of the disclosures required by law as they are considered important information for a potential investor, so disclosures about cybersecurity risk or incidents are not a new requirement.   (Division of Corporation Finance, 2011)

Legal advisors from Mintz Levin issued their 2012 Securities Memorandum, siting the new SEC cybersecurity guidance development to be one of the “key considerations to keep in mind as you embark upon the year-end reporting process in 2012.” (Gates & Greene, 2012)

With respect to disclosing cybersecurity risk and/or events, legal advisors such as Gibson Dunn are providing guidance to their clients to complete the following activities:

  1.  Perform an assessment of materiality for significant areas of security risk or for security incidents that have occurred to determine if disclosure is warranted.
  2. Review what other companies have included in their cybersecurity disclosures to the SEC.
  3. Be prepared to disclose the appropriate information (remediation efforts, business impact, financial impact, legal implications) if a security breach occurs.
  4. Monitor legislation for additional requirements related to cybersecurity. (Goodman, Ising, Mueller, & Southwell, 2011)

However, disclosing areas of security weakness and specific security breaches will be difficult for companies to begin to include in their SEC filings.  A Washington Post article covering the introduction of the SEC guidance document explains one reason for companies’ reluctance is the fear that their images will be tarnished in the eyes of all their current and potential investors.   The article continues to point out that the ability to be able to assess damages and associated costs tied to the cybersecurity risks will challenge the current capabilities of companies. (Nakashima & Hilzenrath, 2011)

In conclusion, in light of the increases of significant security incidents, companies will need to provide careful consideration and analysis of the risk related to cybersecurity and ensure compliance to the SEC requirements by bringing to light significant security risk and/ or incidents and their associated business impact.

________________

Division of Corporation Finance. (2011, October 13). CF Disclosure Guidance: Topic No. 2. Retrieved February 19, 2011, from http://www.sec.gov: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm#_edn2

Gates, M. N., & Greene, P. B. (2012, January 19). Preparation for 2011 Fiscal Year SEC Filings and 2012 Annual Shareholder Meetings. Retrieved from http://www.mintz.com: http://www.mintz.com/newsletter/2012/Advisories/1596-0112-NAT-SEC/index.htm

Goodman, A., Ising, E. A., Mueller, R. O., & Southwell, A. H. (2011, October 17). SEC Issues Interpretive Guidance on Cybersecurity Disclosures Under U.S. Securities Laws. Retrieved February 19, 2012, from http://www.gibsondunn.com: http://www.gibsondunn.com/publications/Pages/SECGuidance-CybersecurityDisclosuresUnderUSSecuritiesLaws.aspx

Gorman, S. (2012, February 14). Chinese Hackers Suspected In Long-Term Nortel Breach. Retrieved February 17, 2012, from online.wsj.com: http://online.wsj.com/article/SB10001424052970203363504577187502201577054.html

Nakashima, E., & Hilzenrath, D. S. (2011, October 14). Cybersecurity: SEC outlines requirement that companies report cyber theft and attack. Retrieved February 19, 2012, from http://www.washingtonpost.com: http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_story.html

 

Advertisements