IT Compliance: SEC Guideline Changes for Cyber Disclosure
The Securities and Exchange Commission, simply known as the SEC, has guidelines (also known as compliance standards) which tell companies when to divulge information on cyber attacks. This act is called Cyber Disclosure. Recently, the SEC has demanded that six high profile public companies divulge information regarding cyber breaches to their investors - Amazon Inc, Google Inc., Hartford Financial Services Group Inc., American International Group Inc., Eastman Chemical Co., and Quest Diagnostics Inc.
According to letters from the SEC, the six companies were told to inform their investors during future fillings that their systems had been breached by intruders. Amazon Inc. argued that such attacks were not significant enough to disclose regardless of the fact that the company’s unit, Zappos.com had been breached by hackers. The January intrusion led to the theft of credit card numbers from roughly 24 million clients and customer addresses. Zappos.com, which is the largest online retailer, was directed by the SEC to reveal the breach in their next filling.
Admissions of hacking can trigger litigation from investors, hurt the company’s reputation and also give competitors information that can be used to market negatively against them. Google, arguably the most utilized search engine in the world, also agreed to include its cyber crime report in their earnings report and stated that they are in compliance with the rules for disclosure and regulations.
This year alone, the SEC has written many letters to various companies pushing them to disclose incidents of hacking. This form of IT governance is also being embraced by U.S. Congress, who are in the process of reviewing a bill which has been designed to boost defenses against hackers. The government has made efforts to encourage organizations to reveal hacking incidents as well as implement a reporting system, which is voluntary.
Key Points to remember about the SEC and Cyber Disclosure:
1. Law Creation
While the SEC Cyber Disclosure directive is not law, a law could in the future be created, says former SEC lawyer Peter Henning. Although it is not a law, the SEC does effectively have the power to ask companies to reveal cyber attacks to investors. Companies are acutely aware that compliance failure can be quite costly, with a fine of $250,000, followed by litigation that could cost millions.
In a letter to Mary Schapiro, Chairman of the SEC, Senator John D. Rockefeller IV wrote that the SEC does not hold authority to regulate companies to spend on controlling cyber attackers. It can however push for compliance to communicate the risks to their investors. In order to retain investors, it's logical that these companies will have to make efforts to reduce those risks.
2. The Proposed Bill
A bill recently proposed by Senator Joe Lieberman could give companies limited security from lawsuits had reasonable security measures been taken prior to a breach. The bill however was not passed. Following the decision, President Barack Obama put into consideration action from the executive branch but has not yet reached a decision.
3. A Call to Action
US computers have been subject to a rise in cyber attacks, and businesses worldwide now spend approximately $10 billion per year fighting such crimes. That may seem like an excessive amount to spend defending against the possibility of an attack, but on the other hand, hundreds of millions of dollars have been stolen from online attacks in recent years.
While releasing information disclosing a cyber attack can be damaging to a company’s reputation, it drives improved IT governance and cyber security in the long run. By forcing companies to implement a measure that will reduce the number of cyber crimes, businesses and individuals learn how to better secure themselves against cyber attacks.