SEC Guidelines - Good Intentions Fall Short?
As I wrote last week, the Securities and Exchange Commission, among other agencies, has jumped into the cybersecurity arena -- issuing guidance on disclosure requirements for companies at risk or affected by cyber events.
While the SEC guidelines have the right intentions, they fall short in trying to address a complex problem. Perhaps the actual implementation of the guidelines may prove different but in reading through what was issued, I was left with a number of questions.
First, it is unclear how the guidance would work with ongoing law enforcement, homeland security and intelligence efforts relating to cybersecurity. Given the remote nature of cyberattacks, there may be instances when security agencies do not want to make public details of an attack until a thorough forensic assessment has been made and any trends or patterns with other attacks are discerned. It is unclear how the guidelines would address such situations.
Second, it is also unclear for publicly traded companies that contract with the government (and for accountants that audit any company) as to how the SEC guidelines are intended to be enforced in conjunction with pending acquisition rules and the Defense Department's protection of unclassified information policies.
Third, while the SEC guidelines suggest that companies should not disclose information that would weaken a company's cybersecurity posture, they say little about the weakening of other companies' systems. One could imagine a scenario where a disclosure would identify vulnerabilities and risks to similarly-situated companies and those vulnerabilities being exploited to attack such companies. This would be an unintended consequence but, depending on the level of information provided, a possibility.
The guidelines also broadly hold registrants responsible for assessing the probability of cyber incidents occurring and the potential costs of risks relating to such incidents. This assessment requires that companies "consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware." This part of the guidelines not only raises liability questions but questions about how much information companies in a particular industry can share on their risks. In those instances where information sharing vehicles are present (e.g. banking, IT, telecom), this might be an easier feat but how should assessments be made in those industries where information sharing is not the norm? Cyber risks and threats are evolving and constantly changing. Vulnerabilities can be exposed and exploited within seconds.
This is not to say that the SEC guidelines are not well-intentioned and that accountability is not needed. Our corporate cybersecurity posture is in need of improvement and some guidance is probably needed to assure that investors and the public are aware of risks. Finding the right balance between disclosure and security is the challenge.