Features

SEC Moves to Cyber-Risk Disclosure

by Mark Rasch

The U.S. Securities and Exchange Commission’s new guidance to public companies on cyber-risk disclosure is likely to be the first salvo in a move to make private companies not only disclose cybersecurity risks, but mitigate them as well.

Publicly traded entities have long been required to disclose material risks that might significantly impact their bottom lines, such as having a key manufacturing plant in an earthquake-prone zone or even an outbreak of avian flu. With the new guidance, the SEC has explicitly recognized that cyber threats, vulnerabilities and incidents pose significant risks to companies that have not adequately prepared for them, and therefore to their shareholders, too.

The commission has instructed companies to move beyond a generic “disclose risks of operations” and now expects them to fundamentally examine how they conduct cyber business in light of modern threats and vulnerabilities. It’s clear that generic responses such as “we regularly conduct examinations of our cyber-risk posture” or “we comply with all laws and regulations regarding protection of data” are likely to be inadequate and that companies must conduct, and disclose to shareholders, business impact assessments that relate to cyber risks and vulnerabilities.

While a company need not disclose specifics, which by doing so could in fact make it a target, it should have a plan for both knowing and ultimately reducing its cyber risk posture. This includes knowing the nature and scope of potential threats and having the ability to appropriately respond. If companies do not heed the SEC’s guidance, we can expect greater and more detailed disclosure requirements.

Mark Rasch is director, cybersecurity and privacy consulting, for CSC.