Regulation & Compliance

How can the SEC become the primary regulator of corporate cyber security?

Ben Fagan | August 6, 2014

479235277In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.

Guidelines vs. Standards

Target’s infamous security breach in 2013 was a highly publicized event. Some have questioned why it took Target four days to publically disclose the breach of its customers’ sensitive information, saying that the retailer had the responsibility to inform customers as soon as the problem was discovered. According to CNBC, Target Chairman and CEO Gregg Steinhafel, claims the four day period from security breach to public disclosure was actually fast, considering the retailer identified, investigated and took security actions during that period.

John Mutch, CEO of BeyondTrust, reported to Forbes that 27 of the largest companies that reported cyber breaches claimed to have suffered no financial losses. Evidence, however, indicated otherwise. Sony doled out $171 million to clean up their incident, while Heartland Payment Systems lost an estimated $140 million.

Breach transparency standards would make it harder for companies to keep the public and their shareholders in the dark about financial losses and potential cyber threats.

Benefits to Shareholders

Is it in the best interest of shareholders for the SEC to set minimum standards rather than guidelines? Douglas Meal of the law firm Ropes & Gray doesn’t think it really matters. According to him, most big businesses don’t see their stock prices plummet after announcing a cyber breach.

On the other hand, businesses such as Target acknowledge that cyber breaches could potentially cost them money and the confidence of their customers. Considering this and the company’s reluctance to be transparent about its major data breach, what should motivate them to be forthcoming with material loss reports?

No matter how effective or ineffective the SEC’s standards would be, one thing is certain: a minimum standard for breach transparency would hold companies accountable for their security procedures, making it more likely that they would regularly measure security performance.

Rather than be subject to investigation by the SEC, companies would hopefully opt to improve their standing with the Commission and shareholders by properly reporting security breaches.


Suggested Posts

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

Far reaching in its applicability, GDPR extends well beyond Europe and affects any...


NERC CIP-013-1: Effective Date, Preparation Strategies, & Impact

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability...


Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...


Subscribe to get security news and updates in your inbox.