The "Catch-22" of Cybersecurity Incident Disclosures
Cybersecurity breach disclosures are in a class by themselves. That’s in part, because the SEC hasn’t set hard and fast rules about what and when to disclose, merely provides only guidelines. Companies have to rely on their own judgment when making disclosure decisions – at least for now.
A bill was introduced in Congress earlier this year that seeks to clarify the process. Marsha Blackburn of Tennessee and Peter Welch of Vermont introduced the Data Security and Breach Notification Act of 2015 in January. Cybersecurity is “the battlefield of the 21st Century,” Blackburn has said, and the American people “deserve to know that their personal information is safe and secure.”
The bill would require U.S. company boards to have a director with expertise in cybersecurity, and the Federal Trade Commission would provide online learning tools. Companies would have to report larger breaches to the appropriate agencies including the Secret Service or FBI.
As part of the existing SEC guidelines, the agency has asked companies to be as specific as possible in their disclosures. The commission asks that a company describe the material risks involved in a breach and outline how each risk will affect the company. It requests companies not use generic or boilerplate language.
“When disclosing a cybersecurity incident with investors, companies must be prepared to discuss both the specifics of the event and the resulting financial implications,” said Rob Berick, senior vice president and managing director, Falls Communications. “Equally important, companies need to be able to educate investors on the corrective actions taken to prevent similar incidents from happening in the future.”
And yet, there are times when law enforcement officials might want the company to hold back some information to aid them in an investigation. At other times, information might be withheld until the IT department is sure the hacker has completely left the system. That creates a Catch-22 for companies as to which enforcement organization to comply with.
“Determining the information to disclose to investors about cybersecurity risks and incidents is complex and challenging for public companies,” said Cornerstone Research, which specializes in economic and financial analysis, in a report. “Of critical importance is balancing the need to provide timely, comprehensive and accurate information to investors while not disclosing information that could serve as a roadmap to those who seek to exploit a company’s vulnerabilities.”
“But just because current guidelines aren’t clear, doesn’t mean regulators will turn a blind eye to disclosure issues,” said the International Association of Privacy Professionals.
“Costs triggered by regulators can include individual notifications, heavy fines, injunctions, paying for credit-monitoring services, government audits, and even criminal liability,” the association said.
And federal regulators aren’t the only ones with a say in disclosure policy. Most states have disclosure laws in place particularly for times when consumer information is exposed.
Depending on the industry, companies may also face scrutiny related to other laws as far flung as the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the Federal Information Security Management Act, or the Homeland Security Act of 2002. Agencies including the Federal Trade Commission, the Department of Health and Human Services, and the Office of the Comptroller of the Currency might also become involved.
And while the SEC hasn’t come out with a mandate, companies would do well to carefully follow the existing guidelines and educate themselves as to how they’ve played out in past breaches, said Richard Bortnick, a lawyer at Traub, Lieberman Straus & Shrewsberry, at a NetDiligence Cyber Risk & Privacy Forum.
“There’s not a mandate and nothing that says you have to comply – other than common sense, and an effort to keep your company from being sued for securities fraud,” he said.