Security breaches may be underreported


Security breaches at companies have generated lots of headlines over the past few years, as more companies seem to have fallen victim to increasingly sophisticated cybercriminals. But despite all of the media the coverage, there is reason to believe that security breaches at companies are in fact underreported. 

When massive breaches occur--the likes of the recent Sony breach--companies usually understand they have an obligation to report the event in its regulatory filings. But what about the myriad much-smaller incidents that result in less carnage but still some stolen data? The Senate Commerce Committee, led by Jay Rockefeller, has taken a look at security breach reporting in filings and has voiced its concerns. It sent a letter to the SEC asking it to set some guidelines that cover when security breaches should be disclosed. 

"We are concerned that the lack of quality, public information in these matters enables an inefficient marketplace that devalues security and impairs investor decision-making," the letter said. 

The letter cited a 2009 survey by insurance firm Hiscox that found that 38 percent of Fortune 500 companies made a "significant oversight" by not mentioning privacy or data security exposures in their public filings. The letter continued: "In addition to reporting inconsistencies, it is unclear whether corporations who do disclose their information security risk exposure are adequately assessing and mitigating these risks." The committee reviewed disclosures and found a variety of approaches, from boilerplate disclosure to more detailed narratives. But it did not find any discussion of what steps the company was taking to mitigate the risks-which strikes them as essential information for customers. 

The Senators reminded the SEC that "federal securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings and potentially reduce market share." 

This worth some thought by executives and directors. You certainly need some developed processes that govern what happens in the aftermath of a breach, and part of that process should involve a determination of what disclosure rules are in play. Companies may want to err on the side of caution, as this could come back to bite you. At some point, we may see a company dinged for failing to report a breach. - Jim