A recent Businessweek article implies that the US Securities and Exchange Commission (SEC) is getting more aggressive when it comes to the requirement of companies to disclose material security breaches.
According to the story, six companies recently received letters from the SEC asking them to make the incidents public. The firms argued “that the attacks weren’t important enough to reveal," and that "Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation.”
The article notes that demanding these revelations may result in making data safer, even though the SEC doesn’t usually provide organizations with guidance when it comes to cybersecurity crime:
The SEC doesn’t have the authority to order companies to spend money on security controls to try to fend off attackers. It can make them report cyber-risks to investors who buy stocks or make loans. To attract capital, companies might then have to take steps to reduce the risks, Democratic U.S. Senator John D. Rockefeller IV, said in a May 2011 letter to SEC Chairman Mary Schapiro.
Is the SEC trying to exceed its authority? No, says John Reed Stark, managing director of Stroz Friedberg, a data security consultancy, and the former chief of the SEC’s Office of Internet Enforcement. The SEC's reminders of what is material disclosure for a public company should not be viewed as increasingly aggressive enforcement, Stark told me in an interview. These notices on what is required of companies on their various filings is just a normal part of business.
US Securities and Exchange Commission headquarters, Washington, DC.
The SEC regulation on disclosure of material information is one of the agency’s oldest rules. (The full rule, formally known as Title 17: Commodity and Securities Exchanges, can be found here.) Nearly a year ago, the SEC published guidance that, again, simply reminded companies of their responsibilities and what they are required to disclose under Title 17.
The SEC’s guidance document does not just outline when companies are to disclose data breaches. It also helps them understand how and where to put the disclosure. There is a difference between simply including attacks on an annual filing, and deciding that a specific attack needs to be disclosed in a separate one.
Stark acknowledges that companies can be placed in a no-win situation with some breaches, especially when the Federal Bureau of Investigation is trying to quietly investigate a breach a company is required to disclose in a public filing. In those cases, he says, the SEC will generally be “sensitive” to the situation and side with the FBI to not make the information public.
Essentially, Stark says, companies need to disclose to the public that they are vulnerable to breaches. Problems arise, however, when one tries to define “material.” A typical defense contractor, bank, or pharmaceutical company might have its network attacked 30-50 times per day by criminals using a variety of techniques and vectors. What makes one attack more material than another could be a matter of interpretation.
Stark hopes that the SEC’s guidance document does not lead to the use of corporate boilerplate, the way the safe harbor language found at the end of press releases or on the Websites of public companies has. Boilerplate would effectively eliminate the value of the disclosure, he says. (A typical safe harbor statement, this one from networking equipment provider Extreme Networks, can be found here.)
The fact that the SEC is talking more about Title 17 simply means that companies need to be more proactive in reporting material breaches.
What do you think? Should companies talk publicly about data breaches? Or should that information be kept quiet in order to avoid spooking investors and informing potential attackers about how to break into a company?
— Stephen Lawton is a longtime technology journalist and industry pundit.