The Office of the National Counterintelligence Executive recently released a report highlighting the current threats to America’s economic security: foreign economic collection and industrial espionage against American businesses. The two major culprits are China and Russia. With both countries aiming to achieve economic prosperity, states the report, cyberattacks that attempt to steal valuable trade secrets and technological information are and will remain rampant.
There is no doubt that cyberattacks are a serious threat to businesses, both in terms of security and costs. Yet, while cyberattacks can cost millions of dollars in recovery, whether triggered by a Chinese spy or the trustworthy employee in the cubicle next door, little is known about the actual financial harm cyberattacks have had on American businesses and the American economy. One reason often cited is the lack of disclosure by businesses that are aware of a cyberattack but are too embarrassed to report the cyberattack to the authorities.
In a survey conducted by McAfee, a security firm, and the Science Applications International Corporation, one in ten companies only report when legally obligated, and only three in ten report all data breaches.
Public companies prefer to stay quiet to protect their reputations, remain attractive to shareholders and potential shareholders, and to avoid accusing potential business partners, including governments. (Although, none of this was a concern to Google when the company reported China’s alleged cyberattack).
Public companies have been able to save face, that is, until now.
After lawmakers urged the Securities and Exchange Commission (SEC) to provide guidance on what public companies must do to disclose cyberattacks, the SEC released a statement clarifying that disclosing cyberattacks are no longer an option, but a must.
“[T]he SEC made clear that cyberattacks fall within the type of risks that a shareholder should be made aware of.”
Keeping in mind that “federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision,’” the SEC made it clear that cyberattacks fall within the type of risks that a shareholder should be made aware of.
In determining that disclosure is necessary, the SEC underscores the costs associated with exposure to cyberattacks. For example, more personnel or consultants may be needed, new technologies may be adopted, and remediation costs offered to those materially affected by a cyberattack on a company, all of which amount to substantial costs to the company that shareholders should know about.
The cost of disclosure, however, may also be high. According to the SEC, public companies should make a diligent effort in evaluating risks, including those that have already occurred and potential risks, estimating potential loss, and determining whether preventative measures and cybersecurity are adequate. After taking in all of these factors into account, a company would have to disclose actual and potential cyberattack risks based on whether such factors indicate that the risk would be material to shareholder. Moreover, the company would want to include what measures it is taking to prevent and remedy such cyberattacks.
The SEC recognizes that companies are worried that disclosure would create a “roadmap” to trade secrets and to potential vulnerabilities of a company. But, the SEC says that companies should not fret because such disclosures “of that nature” are not required.
Nevertheless, companies do fear that the disclosure of cyber vulnerabilities will not only expose them, but also lower the value of their stock.
If only the SEC was like the FCC in helping companies achieve cybersecurity! But, then again, the SEC is looking out for you, the investor.
Comments
Post new comment