On October 13, 2011, the Division of Corporation Finance (DCF) of the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2 – Cybersecurity, available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . It provides the DCF’s “views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.” So far, so good.
However, when it is suggested that companies report POTENTIAL security compromises and their costs and consequences, we must examine what they might mean more closely. The SEC lists five examples of what should be disclosed, as follows:
- Business and operational aspects that “give rise to material cybersecurity risks and the potential costs and consequences”
- Outsourced functions that “have material cybersecurity risks” and how the risks are being addressed
- Cyber incidents that “are individually, or in the aggregate, material,” and “a description of the costs and other consequences”
- “Risks related to cyber incidents that may remain undetected for an extended period”
- “Description of relevant insurance coverage”
Some of these situations are difficult to imagine insofar as what type of reporting is required. Virtually all business operations provide the opportunity for material cybersecurity risks, as do most outsourcing arrangements. At what level does the “material” criterion kick in? How does one aggregate risks? And if a cyber incident has been taking place over a long period of time but has not been detected, what risks should be reported … the risk of the incident or of its not being detected or both? It is likely that the result of such disclosure requirements will be the usual bland generalized corporate statements that we have seen so often in the past. Also, as I described in my somewhat controversial September 12, 2011 column “Risk Mismanagement – Scoring vs. Monte Carlo vs. Scoring,” the measurement of risk is personal and there are not any fully satisfactory methods in existence, as far as I know, for aggregating diverse risks. Consequently, corporations are likely to downplay cybersecurity risks, until after an incident occurs, at which point they will likely state that the attackers were so smart that they couldn’t have been reasonably expected to defend against them.