SEC releases guidelines for data security breach disclosures

SEC releases guidelines for data security breach disclosures

The past year has seen some massive data security breaches against Sony and Citicorp that have affected organizations across the globe. While many companies have been transparent about their defense lapses, many have not disclosed the information quickly enough and, in some cases, have failed to report a problem at all.

To combat this potential disclosure problem, the Securities and Exchange Commission has ordered companies to reveal their data security breaches.

"Cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts," the SEC said in its Guidance Notes.

According to the Guidance Notes, new developments have helped organizations migrate their operations toward digital technologies. As more companies now depend on technology for their infrastructure, cybercriminal attacks have also grown.

"In general, cyber incidents can result from deliberate attacks or unintentional events," said the SEC. "We have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption."

Although many cyber attacks may result from intentional attacks on the IT infrastructure, breaches may occur in the form of a denial-of-service, which may also negatively affect companies' ability to operate. According to the SEC, insider threats are also prevalent to gain access to the network.

The SEC added it would like to see organizations adhere to these sets of guidelines.
-Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences.
-To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks.
-Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences.
-Risks related to cyber incidents that may remain undetected for an extended period.
-Description of relevant insurance coverage.

Data security remains a risk for companies of all sizes and industries. The damage resulting from a breach may expose sensitive customer or organizational information, but some IT professionals believe an attack may shut down business permanently.

According to a recent study conducted by Imago Techmedia for the IP EXPO, nearly 20 percent of respondents indicated their business would not be able to recover from a data security breach immediately after an attack, while others may never re-open.

"Respondents to our survey overwhelmingly agreed that IT security should not be viewed as an isolated activity, but would best be treated as an integrated part of businesses’ entire technology reviews and processes," said Imago Techmedia social business and content director Mike England.

While a security breach may affect a particular department throughout an organization, an overwhelming majority believe their businesses would be better served to collaborate regarding their cyber defenses.

Of those surveyed, 70 percent said collaboration across all information and communication departments would help deter future threats. Also, nearly 50 percent of participants indicated their organizations need greater security-related ICT cooperation, according to the study.

"Given the attention and money poured into security for many years now, the headline figure comes as quite a shock," said England. "It is when we get into the detail, the myriad ways in which security is - or isn't - addressed, that we see how such a figure can be reached."