SEC outlines requirement that companies report data breaches

[Richard Forno <rforno () infowarrior org>]

Cybersecurity: SEC outlines requirement that companies report data breaches

By Ellen Nakashima and David S. Hilzenrath, Updated: Friday, October 14, 7:45 PM

http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_print.html

Cyberspies and criminals steal what is estimated to be tens of billions of dollars worth of data from U.S. companies 
each year. Yet experts say few companies report these losses to shareholders.

Now the Securities and Exchange Commission is pressing for more disclosure, issuing new guidelines this week that make 
clear that publicly traded companies must report significant instances of cybertheft or attack, or even when they are 
at material risk of such an event.

“Investors have been kept completely in the dark,” said Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate 
commerce committee, which urged the SEC to take the action. “This guidance changes everything. It will allow the market 
to evaluate companies in part based on their ability to keep their networks secure.”

The SEC guidance clarifies a long-standing requirement that companies report “material” developments, or matters 
significant enough that an investor would want to know about them. The guidance spells out that cyberattacks are no 
exception.

For example, the SEC says, a company probably will need to report on costs and consequences of material intrusions in 
which customer data are compromised. The company’s revenue could suffer, and it could be forced to spend money to beef 
up security or fight lawsuits. In addition, if a company is vulnerable to cyberattack, investors may need to be 
informed of the risk, the SEC said.

The move is a significant step toward transparency in an opaque area of corporate security and should spur greater 
awareness that protecting computer networks is crucial to a company’s bottom line, experts said. Combating espionage 
against corporate America by hackers in China and other countries is a matter of national and economic security, U.S. 
officials have said, and they say understanding the scope of the problem is key to fashioning an effective response.

“It’ll force executives to really understand what’s going on within their corporations,” said Melissa Hathaway, a 
former White House cyber coordinator who has long advocated the SEC strengthen its guidance. “I think it will create 
the demand curve for cybersecurity.”

But the SEC is pushing against a corporate culture predisposed to secrecy. “It’s very unlikely companies are going to 
belly up to the bar and run around and start reporting this all of sudden,” said Jody Westby, chief executive of Global 
Cyber Risk, a consulting firm.

Westby said she advised a Fortune 100 company that had suffered a major breach in 2008 that the company report it to 
the SEC. “They just laughed and said, ‘We don’t agree,’ ” she recalled. “Companies involved in breaches are very 
reluctant to reveal what happened, and much less tell the SEC what happened. Why? Because of a fear of reputational 
damage.”

Experts said this is why the guidance is necessary — to underscore that disclosure of material breaches is mandatory.

But Larry Ponemon, chairman of the Ponemon Institute, a research group in Traverse City, Mich., said reporting on 
potential risk is almost meaningless because virtually every firm is at risk and “almost every major organization” has 
suffered a breach. He predicted that companies still will provide only minimal disclosure.

Some companies may want to disclose a hacking incident but do not have the expertise to assess the damage, said John 
Reed Stark, a former SEC official and now a security consultant with Stroz Friedberg. “Yet the SEC has clearly launched 
a shot across the bow,” he said. He urged the SEC to allow companies some latitude. “Otherwise the result will be chaos 
and confusion,” he said.

Companies that fail to make disclosures could face various consequences, said David B.H. Martin, co-head of the 
securities practice at Covington & Burling. They could be sued by shareholders or subjected to SEC enforcement actions. 
Regulators also could send them letters calling on them to improve their disclosures.

Calculating the costs of cybertheft, whether for criminal or espionage purposes, is difficult. The Ponemon Institute 
has found the average cost of a breach to be between $5 million and $8 million. But it took nine months to assess the 
impact on 50 companies, Larry Ponemon said.

Scott Borg, an economist with the nonprofit U.S. Cyber Consequences Unit, said companies often do not know the value or 
extent of data loss. Using data from the U.S. Bureau of Economic Analysis, he has estimated the annual loss to 
cybertheft at $6 billion to $20 billion.

One of the few companies to report a compromise to the SEC was Intel, which did so in January 2010 — shortly after 
Google’s disclosure that it had been hacked by attackers in China who stole valuable source code. Alan Paller of the 
SANS Institute has said Google was among more than 80 companies hit by the same malware.

Intel spokesman Chuck Mulloy this year said that “nothing of any value was taken that we can tell,” though he added, 
“We can’t say that with absolute certainty.”

“You don’t want to disclose confidential or proprietary information,” Mulloy said. “But to the extent you can disclose 
and be as forthright as you can, it’s simply good corporate governance.”



© The Washington Post Company



---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/