Regulation & Compliance

How can the SEC become the primary regulator of corporate cyber security?

Ben Fagan | August 6, 2014

479235277In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.

Guidelines vs. Standards

Target’s infamous security breach in 2013 was a highly publicized event. Some have questioned why it took Target four days to publically disclose the breach of its customers’ sensitive information, saying that the retailer had the responsibility to inform customers as soon as the problem was discovered. According to CNBC, Target Chairman and CEO Gregg Steinhafel, claims the four day period from security breach to public disclosure was actually fast, considering the retailer identified, investigated and took security actions during that period.

John Mutch, CEO of BeyondTrust, reported to Forbes that 27 of the largest companies that reported cyber breaches claimed to have suffered no financial losses. Evidence, however, indicated otherwise. Sony doled out $171 million to clean up their incident, while Heartland Payment Systems lost an estimated $140 million.

Breach transparency standards would make it harder for companies to keep the public and their shareholders in the dark about financial losses and potential cyber threats.

Benefits to Shareholders

Is it in the best interest of shareholders for the SEC to set minimum standards rather than guidelines? Douglas Meal of the law firm Ropes & Gray doesn’t think it really matters. According to him, most big businesses don’t see their stock prices plummet after announcing a cyber breach.

On the other hand, businesses such as Target acknowledge that cyber breaches could potentially cost them money and the confidence of their customers. Considering this and the company’s reluctance to be transparent about its major data breach, what should motivate them to be forthcoming with material loss reports?

No matter how effective or ineffective the SEC’s standards would be, one thing is certain: a minimum standard for breach transparency would hold companies accountable for their security procedures, making it more likely that they would regularly measure security performance.

Rather than be subject to investigation by the SEC, companies would hopefully opt to improve their standing with the Commission and shareholders by properly reporting security breaches.


Suggested Posts

FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Australian Companies Now Have 6 Months For APRA Compliance

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...


Texas Senate Bill 820: New Regulation Takes Aim at Cyber Threats in Education Sector

Schools and colleges are facing an alarming increase in cybersecurity incidents. Some hackers seek ransoms while others see value in scooping up personally identifiable information to sell to identity thieves.


Subscribe to get security news and updates in your inbox.