Earlier this week, I was able to sit down with one of our McAfee blog contributors, Leon Erlanger, for a podcast on SEC Security Guidance. Leon published a blog post earlier this month with his thoughts on the new guidance, and you can listen to his podcast interview at the end of this post.
Leon, let’s just jump right into it. There has been some new guidance released by the SEC. Give us some background. What is this? Who is affected? Why should we care?
Well, the first thing to recognize is that this is guidance. It is not regulation. It’s not legislation. It’s guidance that the SEC put out in response to some senators who asked for guidance on how the risk of cyber security attacks and the attacks themselves should be incorporated into certain filings that public companies have to make with the SEC.It was put out by the Division of Corporate Finance, which is where these companies actually make these filings. One of the biggest filings is something called a Form 10K, which is very much like an annual report.
Basically, the purpose of this is to tell public companies what kind of information they need to incorporate about their risk of cyber security incidents and the actual incidents they have had into the various parts of this Form 10K, which again, as I said, is very much like an annual report and is meant to be information that investors might use to decide whether or not they should invest in this company.
Really, it is very far-reaching, even though it is not an actual regulation. In some ways, it is even more far-reaching than a lot of regulations. It is very specific and it talks about risks in a very far-reaching way. It really is putting public companies on notice, in my opinion, that they cannot just put cyber security in its own little department that is very separate from the financial wellbeing of the company.
What the SEC is saying now is that cyber security is very much material to the financial wellbeing of the company and should be reported as such.
What’s your take on the cyber security being material? From my perspective, I think this is a great thing. I think most people in the security industry would agree that it has always been material. But it is now just starting, maybe, to be seen that way.
That’s right. In the past, companies really did look at it as some kind of separate thing, because they wanted to. They rarely reported cyber security incidents when they occurred and rarely talked about the actual impact of those incidents.
There are some requirements where they have to report incidents if it affects the privacy of consumer information or similar things, but there are other impacts that cyber security incidents have. A company’s intellectual property very frequently is stored on their infrastructure. It is stored in their hard disks on their infrastructure. If those things are breached and their intellectual property is stolen, it can have a very damaging impact on the company.
As well, a lot of business processes rely on IT infrastructure much more than they ever did in the past. Material to the business…There is this trend over the past 10 years of IT infrastructure and its wellbeing being very material to the business’ wellbeing.
What suggestions do you have for how people should react? We have got an organization that is maybe already addressing Sarbanes-Oxley and PCI. They have got some internal governance they are doing. Is this yet one more item on the checklist?
I would say a lot of companies might look at this as not being a requirement. But I would say that, if the SEC is saying, “Here is how we perceive you should be looking at this,” even if they are not saying it is an actual regulation, then you probably should be looking at it that way.
If an event does happen where the company ends up in a lawsuit or it gets widely reported, I would say one of the first things that may come up is, “Was this company following the SEC guidance?” Companies should be thinking about this much in the same way they are thinking about compliance with Sarbanes-Oxley. Some of the things that they should probably be doing are reviewing their existing cyber security practices, of course, and looking at the impact of past cyber incidents on the company’s operations and quantifying them.
The guidance really spells this out in a very far-reaching way. It is not things like, “How much did it cost to get up and running again?” Instead, it spells out things like, “What kind of remediation efforts did the company have to take with its consumers, and what kind of damage was there to the company’s reputation as a result of a cyber security incident?”
They should be looking at how they disclose such incidents and compare it to what their competitors are doing in terms of disclosure. They should be analyzing. They should be looking at their disclosure controls and procedures to make sure that they actually account for cyber security issues. They should be thinking about this in terms of cyber security and the business being one.
Leon, again, thanks so much for joining us today on our program. We really appreciate it.
Thank you. It was a pleasure.
You can learn more about the Security and Exchange Commission’s Disclosure Guidance on Cybersecurity on their website, and be sure to read Leon’s latest Security Connected blog post. For future updates on this topic, and on McAfee news and events, follow us on Twitter at @IntelSec_Biz.
The opinions expressed in this blog and podcast are those of the author and do not necessarily reflect the views of McAfee, Inc. This blog is for general information purposes and is not intended to be and should not be taken as legal advice.