Motley Moose – Archive

Since 2008 – Progress Through Politics

SEC to Enterprises: "Account for Cybersecurity in Dollars and Sense."

On October 13 the Securities and Exchange Commission (SEC) released CF Disclosure Guidance: Topic No. 2. This document establishes requirements for public companies to account for the cost of cybersecurity incidents and defenses, as well as to disclose their cyber risk mitigation plans to investors.

This sets the stage for a scene where a public company loses in court, a judge ruling their cyber risk mitigation plan not reflective of diligent best practices.

How this reflects into actions by enterprises will tell whether this matters or not, of course. But putting the question explicitly into the class-actionable hands of investors could focus many organizations on a topic they can relate directly to:

“When you are standing in court, do you really expect the jury to believe you have done enough?”

Crossposted from Infosec Island

From the document:

The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.

That a reasonable investor would consider important. Like, “What have you done to keep hackers from disabling your global game network/energy generation/shipping operation?” It would be encouraging to see investors requiring that answer in writing. Most importantly to align the people who would do the work if they could, with the resources they need.

The next bit ties cyber disclosure requirements to existing disclosure processes, which is rather tidy:

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.

IOW: “It doesn’t matter if your capital equipment has a mean time between failure of twenty years, if you give it an open Internet connection you will have to capitalize the risk as if it will be dead in a week.”

The next section talks about Risk measurement.

“…we expect registrants to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”

Prior history in IT security will provide a lot of fodder in that realm to plot severity and frequency curves. Recent ICS vulnerability trends, Stuxnet and other related news should be enough that a reasonable investor could be assumed to ask how the curves in that part of the business are kept from getting all spiky, too.

“…consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption.”

As investors and enterprises unwind that one, the risk of low-likelihood high-impact incidents may in some cases turn out to more than justify the cost of remediation.

“…consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

In the context of the industry in which they operate.

Energy, banking, transportation.

The rest of the document then goes on to describe the general detail of disclosure content, legal process and financial reporting. But at the end, there is this nugget:

“To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. For example, if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a registrant’s information systems, a registrant may conclude that its disclosure controls and procedures are ineffective.”

Security isn’t much without knowing what just happened, so that sounds a lot like secure logging.

Some of the wording seems to indicate that the authors were at perhaps not deeply aware of the state of ICS cybersecurity, but aware enough to focus on “operational” and financial terms which would include both.

There could be hope that this kind of guidance from those who hold the Big Purse Strings will have a positive effect on security efforts. Compliance with a given regime such as PCI or NERC CIP by itself would not necessarily satisfy a reasonable investor with more than a passing familiarity with cybersecurity.

If you are a public company, and someone hacking into your facility and turning into a Superfund site might hurt your bottom line, you are now required to explain what you are doing about it


  1. anna shane

    something like a standard of practice. probably when a company has been hacked and their customers have suffered harm they will have to show that they took the potential threat seriously and used ‘standard of security’ or whatever they’ll call is and that will keep them from being sued by those they hurt.

    That’s what happens in medical practice, you only have to show that you followed standard of care at that time to not get sued. But it changes, so it can’t be locked into any technology.

    they’ll have to have a security person on their payroll who monitors advances in security, and who reports to the ceo and they’ll have to have a post-mortem plan for what they do right after they’ve been hacked.  

    This will protect them more than it protects us.  

Comments are closed.