For Businesses, Coming Clean about Cyber-attacks is a Complicated Decision
Donald Scarinci By Donald ScarinciNJ.com
Email the author | Follow on Twitter
on June 25, 2013 at 10:26 AM, updated June 25, 2013 at 10:51 AM
Despite these guidelines, companies are understandably not in a rush to disclose that they have been hacked
Cyber-attacks are a growing threat to U.S. companies, costing millions of dollars every year. Yet very few companies disclosed that they suffered intrusions in 2012, according to filings with the Securities and Exchange Commission (SEC).
Under SEC guidance issued in 2011, the agency clarified that although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. For example, the Division of Corporate Finance's Disclosure Guidance Topic No. 2 (Cybersecurity)states that registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
With regard to post-cyber-attack disclosure obligations, the guidance states that data breaches and other incidents should be disclosed if they are reasonably likely to have a material effect on the company's operations, liquidity, and financial condition. Examples cited include reduced revenues, an increase in cybersecurity protection costs, and litigation.
Despite these guidelines, companies are understandably not in a rush to disclose that they have been hacked. Risks of disclosure include decreased customer loyalty, depreciated stock value and legal liability. In some cases, disclosure may also hamper internal and external investigations into the cyber-attacks and increase the risk of future attacks.
The reluctance has not gone unnoticed. The SEC has contacted companies after data breaches reported in the media did not appear on quarterly disclosure statements. In the case of both Amazon and Citigroup, the companies responded that the losses associated with the attacks did not warrant disclosure under the SEC guidelines.
Lawmakers are also calling for tougher disclosure obligations, arguing that investors are not given enough information to accurately assess the risks. "While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies' cybersecurity practices," West Virginia Sen. Jay Rockefeller wrote in a recent letter to SEC Chairwoman Mary Jo White.
The SEC has not yet indicated whether additional guidance will be forthcoming. While cyberattack data is useful to both investors and government regulators looking to assess the threat, there are significant downsides to releasing too much information. As even the SEC acknowledged, detailed disclosures could compromise cybersecurity efforts by essentially providing a "roadmap" for those who seek to infiltrate a registrant's network security.
Donald Scarinci is a New Jersey lawyer and managing partner of Scarinci Hollenbeck, LLC a regional law firm with offices in New York, New Jersey and Washington, D.C. His columns feature legal issues in the news and articles about the business and practice of law. He also writes regularly in Politicker NJ and theConstitutional Law Reporter.