Experts urge U.S. caution on additional cyber threat disclosures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dailypress.com/business/sns-rt-us-sec-cybercrime-20140326,0,2469777.story

Cyber experts urged U.S. securities regulators on Wednesday to tread
carefully when requiring companies to disclose security breaches and cyber
threats, saying giving too much information may leave them vulnerable to
hackers or legal action.

"I don't think the commission should be going overboard," said Roberta
Karmel, a professor at Brooklyn Law School, told a U.S. Securities and
Exchange Commission (SEC) cyber security panel discussion.

"I am not sure the SEC is the agency that really should be pushing
companies to do more by requiring more disclosure of breaches and other
kinds of information that aren't material."

The SEC convened the cyber security event after a recent series of
high-profile data breaches at companies like Target Corp and Neiman Marcus
Group.

Those incidences sparked major public policy debates, including on how
customers should be alerted, who should bear the cost of breaches, and how
such information should be disclosed both to government and the public.

The SEC has also come under considerable political pressure to take
additional steps to require public companies to disclose more information
about cyber threats to investors.

It issued informal staff-level guidance in 2011 to help public companies
decide when and how cyber events should be disclosed. Since then, it has
written to more than 50 companies seeking clarification on cyber-related
disclosures.

Some panelists said they worry going beyond the current cyber security
disclosures could adversely impact companies, and it may not be possible to
strike the right balance.

Companies that over share information, for instance, could become targets
of shareholder suits and regulatory probes, experts said.

In some cases, federal law enforcement agencies like the FBI also tell
companies they cannot reveal information about cyber attacks, putting
public companies in a difficult position.

"There are circumstances where federal government agencies will show up and
say ... it is classified so you can't talk about it," said Leslie Thornton,
vice president and general counsel for WGL Holdings, Inc. and Washington
Gas Light Company.

PERVASIVE THREAT

U.S. lawmakers have been contemplating legislation to provide clarity about
how notifications should be made, but so far Congress has not been able to
pass any cyber security bills.

Some experts say the SEC needs to do more, whether to issue more formal
commission-level guidance or take steps to ensure companies are disclosing
more material incidents to investors.

Jonas Kron, a senior vice president and director of shareholder advocacy at
Trillium Asset Management LLC, told the SEC on Wednesday he felt the cyber
threat disclosures he has seen since the 2011 guidance were still
inadequate.

"Unfortunately, I think we are seeing a lot of boiler plate" disclosures,
Kron said. "That is the honest truth of what we are seeing, and that is
really unfortunate."

SEC commissioners did not offer any views on what, if anything, the SEC
should do regarding cyber threat disclosures.

However, one SEC commissioner, Democrat Luis Aguilar, called for it to
consider forming an interagency cyber security task force to help inform
the SEC's thinking.

"The increased pervasiveness and seriousness of the cyber security threat
raises questions about whether more should be done to ensure the proper
functioning of the capital markets and the protection of investors," he
said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!