Disclosure a big issue in cybersecurity battle
Corporate disclosure of cyber risks has been a big issue for years now. While there have been some directives from the SEC, such as CF Disclosure Guidance: Topic #2 back in October 2011, it's still pretty much up to companies as to what constitutes something that is material enough to be formally disclosed. The issue cropped up again in the context of the recently issued Executive Order on cyber security.
CFO magazine notes the view of one expert that the order was deliberately vague on the disclosure issue. Still, the issue is alive again, as some are wondering just how much information-sharing, which the order supports, should be going on. While most companies welcome the idea of accepting more information from the federal government--the rich resources of the NSA, for example, would provide significant help--they are wary of sharing information with the federal government for a host of reasons.
"There are a number of risks CFOs should be aware of when considering voluntary disclosure about cyber threats. The first is whether such disclosures will interfere with or be inconsistent with standard SEC filing. 'Should you be disclosing under SEC guidance that you're telling the government about these threats?' Then there's the risk that a disclosure to the government about a security breach could get in the hands of a competitor or criminal and cause further damage. A third worry for CFOs: will companies that choose not to disclose information under the voluntary arrangement be subject to enhanced regulatory scrutiny--or even denied a government contract?" according to the magazine.
The issue is pressing enough that boards need to formulate some policies now--or at least begin to formulate policies. Before it comes back to haunt them. If an incident results in a massive breach, for example, shareholders could easily question the extent to which they were kept informed about the extent of the damage and the remediation effort. -Jim