SEC Jumps into Cybersecurity Debate

Much of the cybersecurity focus this year has been on Congress’s efforts to mandate data breach notifications and security standards. Now the Securities and Exchange Commission (SEC) is entering the fray. On Friday, The Washington Post reported that the agency issued a guidance document instructing publicly traded companies on the procedures they must follow relating to cybersecurity issues.

The SEC makes clear that these obligations are preexististing, and that the guidelines merely clarify the requirements as they pertain to cybersecurity. For example, regarding risk disclosure, the SEC states:

Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.⁵ Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.

The guidance also states that companies “may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context,” while at the same time indicating that “federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity.” This will undoubtedly give companies a serious headache as they try to decipher what they must disclose and what information they may retain.

As far as the immediate impact on publicly traded companies, CNET’s Declan McCullaugh observed:

This kind of regulation may be what billionaire investor Peter Thiel, a member of Facebook’s board of directors, had in mind when he told CNET last month that there are good reasons for companies not to go public.

Thiel said: “There’s simply a degree to which public companies are given a scrutiny that is much greater and much more heavily regulated than private companies… The correct decision that people have made in the last decade in Silicon Valley has been to try to defer the IPO process as long as possible.”

With Congress considering various data breach bills, many of which call for the FTC to issue cybersecurity standards and notification requirements, companies will face a period of great uncertainty going into 2012.

NextGov reporter Jessica Herrera-Flanigan noted earlier this year that this development could also lead to more complications at the agency level in terms of addressing responsibility and jurisdiction:

While an interesting concept, the SEC’s increased presence in cyberspace could raise questions that will need to be resolved. As we see DoD and DHS (with Commerce and State thrown in for good measure) struggle with who will lead on cybersecurity, what does adding another agency to the mix of agencies that must be dealt with mean? How will an increased SEC presence in this space mesh with increased FTC and FCC efforts? What does any required significant reporting mechanism at the SEC mean for law enforcement investigations into cyber?

Although well-intentioned, the SEC’s guidance document will likely add more confusion to an already crowded policy debate. Congress should evaluate its pending legislation to see how this latest development will affect those efforts.