SEC likely to issue cybersecurity disclosure rules based on 2011 guidance

Attorney says Target breach accelerated SEC's efforts in this area

BOSTON--Spurred on by the Target breach and other high profile breaches, the Securities and Exchange Commission is likely to issue mandatory rules on cybersecurity disclosures for public companies in their SEC filings--rules based on the voluntary staff guidance the regulator issued in 2011, explained Jason Weinstein, a partner at the law firm of Steptoe & Johnson specializing in cybersecurity, at the SANS Security Leadership Summit being held here this week.

In October 2011, the SEC issued staff guidance advising companies to disclose information about cybersecurity risks and cyber incidents in their SEC filings.

In the guidance, the SEC explained that "federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents."

This guidance was advisory in nature, not compulsory. However, recent public breaches are pushing the SEC in the direction of making the guidance recommendations mandatory, explained Weinstein.

[Also see our guide to IT security risk management resources - FREE exclusively to FierceITSecurity newsletter subscribers - click to register, or to sign in for current subscribers]

"The rules will be based on the guidance; they will be basically the guidance converted into more prescriptive language," he said.

In a letter to the SEC sent last year, Sen. John D. Rockefeller (D.-W.Va.), chairman of the Senate Commerce Committee, urged the then new SEC Chairman, Mary Jo White, to make the guidance mandatory. "Investors deserve to know whether companies are effectively addressing their cybersecurity risks--just as investors should know whether companies are managing their financial and operational risks. This information is indispensable to efficient markets, and as a country, we need the private sector to make significant investments in cybersecurity."

Not everyone agrees. John Mutch, chairman of security firm BeyondTrust, argued in a Forbes column: "Having been CEO of a public company and now as CEO of a global enterprise software company which provides cyber security and compliance solutions to many public companies, I can attest to the growing complexities and pressures of supply (threats and risk to operations) and demand (regulatory requirements) that must be managed on a daily basis. This is going to be an even steeper climb if the SEC requires companies to disclose on their cyber risk."

For more:
- check out the SEC's staff guidance
- see the Rockefeller letter
- read Mutch's Forbes column

Related Articles:
Target breach, Heartbleed bug cause high anxiety among IT security pros
Michaels' breach totals close to 3 million credit, payment card accounts
Personal data breaches on the rise, Pew finds