As companies begin submitting their regulatory filings and financial reports from 2011, the SEC is pushing for more comprehensive data breach, cyber attack, and general risk-assessment disclosures.
As it stands, companies not only downplay the severity of hacking and other Internet-borne threats in their risk-assessments to the investor public, but they’ve also shown reluctance in disclosing and similarly downplayed attacks that have already occurred.
In October, however, the SEC Division of Corporate Finance published a cybersecurity guidance document. While the document does not constitute a concrete rule or regulation, it compels companies to more accurately and honestly disclose potential and realistic risks to possible investors, particularly if they represent significant factors that make an investment in a given company speculative or risky. Additionally, the guidance reiterates that companies need not disclose information that puts them at further risk of compromise, but rather that which allows investors to appreciate the nature of such risks before investing.
Bloomberg cites EMC as an example of corporate reluctance toward disclosing instances of electronic espionage. In March, EMC’s security division, RSA, was beset by a devastating breach. Hackers compromised the company’s networks and pilfered critical data relating to the company’s authentication product, SecurID, which is widely used by banks, corporations and other organizations. By many an analyst’s measure, this was among the biggest security stories of the year, and made many end of the year lists accordingly. Speculation has run rampant about the potential snowballing effect that the release of SecurID trade-secrets may have had on the overall network security landscape. Despite this, Bloomberg reports that EMC told investors that the incident would have no material impact on the company.