Two months after EMC disclosed that its security division had experienced “an extremely sophisticated cyberattack” — putting its popular RSA SecurID tokens and the data-security needs of its corporate customers that use the authentication tools at risk — the Securities and Exchange Commission questioned whether EMC was holding back. In a comment letter, the regulator asked how the cost of protecting the storage giant against future breaches affected its financial results.
In response, Denis Cashman, EMC’s chief accounting officer, insisted that costs related to IT fixes and reeducating the company’s employees on security matters did not amount to “a material impact” on EMC’s first-quarter results. In other words, the company did not technically need to explain to investors how the losses that were felt in one of its divisions from this one incident affected the entire company. Cashman told the regulator EMC would continue to assess the effect of the attack and “will include a discussion of such impact as appropriate in future filings.”
The discussion in May reflects a rare back-and-forth between the SEC and its registrants over cybersecurity-risk disclosures. Following its issuance of new guidance last month, however, these exchanges could increase in number. The SEC previously hadn’t spelled out its expectations for how publicly traded companies should address cyberattacks in its regulatory filings, although the agency has always required companies to discuss the major risks and incidents that materially affect their business. Companies are already subject to state regulations for disclosing data breaches that could affect consumers’ privacy, but have not explicitly been required to consider investors’ need to know similar information.
The new SEC guidelines don’t change any existing rules, but instead clarify that companies need to consider cybersecurity risks when they determine which of “the most significant factors that make an investment in the company speculative or risky” to include in their regulatory filings.
The guidance has been a long time coming. Earlier this year, five senators pressed the commission to come up with guidelines. In a letter to SEC chairman Mary Schapiro, they cited a 2009 survey that found 38% of Fortune 500 companies did not include the possibility of their being exposed to private- or data-security breaches in documents submitted to the commission. Indeed, a couple of years ago, “there was a general sentiment that the SEC staff really didn’t know the extent of cyberattacks at both public companies and other regulated entities,” says John Stark, who founded the SEC’s Office of Internet Enforcement and now works at Stroz Friedberg, a digital-risk management consultancy.
Despite some clarification, the guidance will still cause some head-scratching for CFOs as they debate what type of information to include, particularly in the short time following a cyberattack when its full impact has not yet been felt. Companies hire Stark’s firm to investigate possible attacks, often before any disclosure is made to the public or even the board of directors. It may take a while to find out whether the incident is relatively innocuous or a sophisticated malware attack. The new SEC guidance is “another huge burden on a public company to be full, fair, and accurate and not misleading when they’re not even sure exactly what happened,” Stark says. “They don’t want to say they’re not sure because it makes them look weak, but the reality is it’s very hard to know.”
It’s also hard for companies to determine how extensive their disclosures should be. The SEC doesn’t want to read about generic risks that could apply to any company, and the agency also doesn’t want too many specifics. “We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security,” the SEC wrote.
The seven-page document says companies that have suffered an attack should consider including the cost of replacing stolen assets, repairing IT systems, implementing protection services, and hiring third parties to make amends. Companies may also need to highlight lost revenues from failing to retain or win over new customers as the result of an IT breach.
All companies should at least consider the guidance but refrain from being overly forthcoming just because the SEC has new guidance, according to Howard Berkenblit, a partner at law firm Sullivan & Worcester LLP. “If there’s nothing unique and not particularly material to your company, you don’t have to disclose anything,” he says.
Moreover, providing new information could suggest a small problem or risk is actually a big deal. “You could imply something is more material than it is if you include it in the document,” says Berkenblit.