The Securities and Exchange Commission takes seriously its charter to protect shareholders’ interests. Just ask Jeffrey Skilling or Bernard Ebbers. Because of these guys, and dozens like them, there have been substantial changes in disclosure requirements as of late. But did you know that IT security breaches might have to be disclosed in your financial statements as well?
If the early millennial accounting scandals were the threat-de-jour of the first decade, few would argue that the threat-de-jour of the second decade is attacks on non-public information. And don’t pretend it’s limited to financial information and stealing money. All sensitive information is at risk.
In October of 2011, the SEC issued guidance requiring public companies disclose security breaches where sensitive information was disclosed. Says the guidance:
“Material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”
So public companies must disclose IT security breaches to make other disclosures not misleading (linguistic clarity is not the SEC’s forte`).
And then there’s the slippery little word that everyone knows but no one defines—materiality. It could be a certain percentage of your customer base, the type of information stolen, or the total cost to remediate the problem. Costs which could include reimbursements to customers, credit monitoring for customers, costs to mitigate the controls that failed, and costs to enhance existing controls and monitoring.
According to a June 29, 2012 Associated Press article, Amazon.com had to amend a statement in its 2011 Annual Report to include information about theft of customer data from Zappos.com. This could be the tip of the proverbial iceberg for IT breach disclosures for public companies. In addition to Zappos, since the beginning of 2012 LinkedIn and Global Payment Systems have been exposed. At least those are major ones we know about.
Disclosure is good for shareholders. Investors have a right to know the risks to share value. If value is derived from the trust of a company’s user base to protect the users’ personal information and company secrets, then disclosure of a confirmed breach is absolutely necessary.
But questions arise about the amount of detail that should be included. Including too much information will provide attackers deeper insight into what and how to attack companies—not that I really think hackers, crackers and hacktivists sit around and read MD&A and footnotes of public companies. But when disclosing a breach, management should be sure to limit details to known facts and how the breach impacted financial statements.
IT is no longer a delivery method. It’s deeply integrated into all businesses, and especially public companies. The SEC says shareholders now have a right to know the IT risks—many times they are as integral to the financial statements as the financial and market risks.
Contact the Risk Advisory Services to see how to minimize the IT security threats to your business.