Friday, May 13, 2011

Senate Commerce Committee Chair Asks SEC to Issue Guidance on Disclosure of Risk of Cyber Attacks

Citing investor confusion, inconsistent public reporting and the importance of cyperspace security, the Senate Commerce Committee requested that the SEC issue guidance on the disclosure of information security risk and material network breaches. In a letter to SEC Chair May Schapiro, Commerce Committee Chair Jay Rockefeller (D-WV) said that it is essential that corporate managers know their responsibility for disclosing information security risks. The SEC guidance should clarify disclosure requirements pertaining to information security risk, including material information security breaches involving intellectual property or trade secrets. In preparing the guidance, the SEC should examine how significant market participants, such as credit rating agencies and securities analysts, incorporate evidence of information security risk into their assessments of companies and investment products. In addition to Chairman Rockefeller, the letter was signed by Senators Robert Menendez (D-NJ), Mark Warner (D-VA), Sheldon Whitehouse (D-RI), and Richard Blumenthal (D-CT).

The Committee’s review of recent corporate disclosures suggests that material breach reporting and information risk disclosure is inconsistent and unreliable, resulting in a concern that the lack of quality publicly-disclosed information enables an inefficient market that impairs investor decision making. The Senators believe that SEC guidance in this area, using the Commission’s longstanding legal authority, will enhance investor protection and increase corporate awareness of information security risk.

The Senators are also concerned that senior officers of public companies may not fully understand their affirmative duty to disclose information on potentially compromised intellectual property or trade secrets upon the occurrence of a material network breach. The Senators emphasized that the federal securities laws require the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive market advantage, affect corporate earnings and potentially reduce market share.

While there are many benefits to information technology, noted the letter, the risks of IT are neither well known nor understood. Corporate managers face a number of challenges in evaluating their information security risks, including the difficulties of measuring the value of information stored within a computer network, evaluating the effectiveness of security controls, defending against determined attackers, and assessing the consequences of a breach. While acknowledging that managing information security risk is not an exact science, the Senators said that it is a core responsibility at all levels of a business.

The SEC promotes corporate accountability for risk management through the enforcement of material risk disclosure. If properly assessed, disclosed information allows investors to value a company’s material risks, including material information risks, in their investment decisions, spurring companies to understand and reduce their risk exposures to attract capital.

Citing a 2009 finding that 38 percent of Fortune 500 companies did not mention privacy or data security exposures in their public filings, the Committee believes that a substantial number of companies do not currently report their information security risks to investors. The Committee’s own review of recent filings found a range of disclosures from boilerplate descriptions of risk to details of specific attacks. Importantly, the Committee found no disclosed information on steps taken by the company to reduce risk exposure.